Malware Analysis Report

2024-12-07 14:49

Sample ID 241011-s9dqvsvfpp
Target code.vbs
SHA256 a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Tags
discovery exploit ransomware defense_evasion persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

Threat Level: Likely malicious

The file code.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit ransomware defense_evasion persistence

Renames multiple (24552) files with added filename extension

Renames multiple (13075) files with added filename extension

Drops file in Drivers directory

Possible privilege escalation attempt

Checks computer location settings

Boot or Logon Autostart Execution: Print Processors

Modifies file permissions

Indicator Removal: Clear Windows Event Logs

Drops file in System32 directory

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:49

Reported

2024-10-11 15:51

Platform

win7-20241010-en

Max time kernel

80s

Max time network

19s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (13075) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\ja-JP\scsiport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dxg.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\qwavedrv.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\sffdisk.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\ataport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\mpio.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\BrParwdm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\umpass.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\partmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dfsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\rndismp6.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\etc\hosts.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdbss.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\intelppm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\rdpwd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\isapnp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\wdf01000.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbccgp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ULIAGPKX.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\GAGP30KX.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\kbdhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\umbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\ntfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\pciide.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\TsUsbFlt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\bthenum.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\wacompen.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ndproxy.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\WUDFPf.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\msdsm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\afd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ndis.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\agilevpn.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\isapnp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\http.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\ipnat.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\lsi_fc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\rdbss.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pscr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\Dot4usb.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rdbss.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mup.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usb8023.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ataport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdpwd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ksthunk.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\atikmdag.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\acpi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\usbdr.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\flpydisk.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\sfloppy.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\usbrpm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\usbrpm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mpio.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ntfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\de-DE\mmcshext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\prngt004.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd64.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpfiew71.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\iesetup.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wmvdspa.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\typeperf.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\pt-PT\comctl32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnkm004.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\AVerFx2hbtv64.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\prnca00c.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.gpd.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHC23N03.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\wsecedit.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\mlang.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\SODPFP90.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\wlanmm.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\msdt.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\perfmon.msc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wevtsvc.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.gpd.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\procinst.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\unregmp2.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Msdtc\MSDTC.LOG.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnport.vbs.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\perfctrs.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\mssphtb.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\prnky005.PNF.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\mdmirmdm.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\conhost.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\Bubbles.scr.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\pnrpsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\gameux.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\sysntfy.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~fr-FR~7.1.7601.16492.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\WceISVista.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1431E3.PPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\vsmraid.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\Bubbles.scr.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\prnso002.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\deskadp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\netcfg.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\wshom.ocx.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\prnep005.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS1616.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\SoundRecorder.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\localspl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migration\en-US\WsUpgrade.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\mapi32.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Dism\de-DE\TransmogProvider.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYW7QUR5.XML.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_neutral_379fb0c62496be6e\usbcir.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\msident.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0340.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\2fc1718f-06ae-4245-9626-f33f11ea9a9b.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV36N6.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\WWanHC.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\eudcedit.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\IEAdvpack.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\qd3x64.inf_loc.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 2480 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 972 wrote to memory of 2480 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 972 wrote to memory of 2480 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 15:49

Reported

2024-10-11 15:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (24552) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\srv2.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\WUDFUsbccidDriver.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msiscsi.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\xinputhid.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\iorate.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\serial.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\sdbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mshidumdf.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dfsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\scfilter.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\SgrmAgent.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\sdstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mslldp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\disk.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vwififlt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\usbstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\BTHUSB.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\wacompen.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\SensorsCx.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dxgmms2.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\KNetPwrDepBroker.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\iorate.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\ja-JP\idtsec.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\null.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sermouse.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdbss.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\tsusbhub.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\agilevpn.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\synth3dvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\RdpIdd.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mshidkmdf.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\raspppoe.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\scfilter.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sdbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\wfplwfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\sdbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\cldflt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbd.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\luafv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\wpdmtpdr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\SensorsCx.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sdstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\fvevol.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\rdbss.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\hidclass.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\IPMIDRV.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\exfat.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\afd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\BtaMPM.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ndisuio.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rfcomm.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\smbdirect.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\mslldp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\UsbccidDriver.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\HdAudio.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hwpolicy.sys.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Application.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Dism\fr-FR\SmiProvider.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\dot3api.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\BackgroundMediaPolicy.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\KBDBE.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\SCardSvr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\mbtr8897w81x64.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\dot3cfg.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\MdRes.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Windows.Networking.Proximity.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\netrtwlane.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\ngccredprov.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeam.format.ps1xml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Http-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\eapsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\shlwapi.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\vac.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\twext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\activeds.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\VSSVC.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ConfigCI-Onecore-WOW64-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\prnms007.PNF.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\C_10003.NLS.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\smbwmiv2.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\PresentationHost.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNoteNames.gpd.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\NgcRecovery.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\w32tm.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Hydrogen\BakedPlugins\Animation\preseteasecurveinoutexpo.hbakedcurve.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migwiz\replacementmanifests\iis-sharedlibraries-rm.man.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migwiz\replacementmanifests\SettingSync-repl.man.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\ja-JP\vsswmi.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\FXSTIFF.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\Windows.Devices.LowLevel.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\NetTCPIP.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\nltest.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\SettingsHandlers_Geolocation.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\mfplat.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\eapphost.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fssystem.inf_amd64_89e15d7e662d6584\c_fssystem.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\pcwutl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\IME\IMEJP\IMJPCMLD.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\TieringEngineProxy.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-UltimatePortableDeviceFeature-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\lpr.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfcvsc.inf_amd64_dfe08f401a2eedbc\wfcvsc.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\FirewallControlPanel.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\zh-CN\quickassist.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\upnp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Speech_OneCore\Engines\SR\spsreng_onecore.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\msv1_0.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Server-D-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\hidserv.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_3ae2ea3a55ec0279\mdmsier.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\wvmbus.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\appmgr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\wbadmin.exe.mui.bat C:\Windows\System32\WScript.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731353600722318" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 3144 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1516 wrote to memory of 3144 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3144 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3144 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4032 wrote to memory of 3476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2412 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 2412 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4032 wrote to memory of 3860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb6a2cc40,0x7ffcb6a2cc4c,0x7ffcb6a2cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2512 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2036,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2624 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4896,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3332,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.46:443 apis.google.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 update.msiservers.lan udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp

Files

\??\pipe\crashpad_4032_CJZODIEPCXVEZBIU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 693c9daf41305cca6ba09b4114a00164
SHA1 0e9d0911b397e49bc52f077d5224862a7c7af821
SHA256 264649a741e54ecbbf8d2db336bd031d9e64aca0bfff19c3bdf3af9f6c703a0a
SHA512 768422b800796a858fb24ed488e2ccd04fd68a7fb2628d23a8842537d2fa27d2cf5c9e8a0057a25c40459354f4c0def6a00f4c11f74cd108dc9e4bf974f2bb08

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ff7e07784f9366656f4cde5cf74fd0fd
SHA1 98e0a749f7bcd9fc4172b3d424eb131cb744d9e4
SHA256 d6be5ba8a76eb63ad5317dc6667f396a43079c36dfab1cf16c38717d202950ef
SHA512 98e33549d4fc136a02a1f0432d3b789cdd7210b4f3c88d1cd693ac3794055b2f6360ae3f3bdf15efe670deec0c250b9f8e836e147ac66dd0232fbb7c12e0be2d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8dc7a58daa4edb23a1d05ec1e85418f1
SHA1 8f591d48a440a33c33b5659accda39384cdead23
SHA256 776f36bebb89f3e962dc5f322531a6fc732e21e83cce0a1ffc42beb31470a81f
SHA512 c4362300d338adcdab000c56b291dcef6e4a53616960a5282e94038da3a86b6eb1633b50a8fca093a3d8924d3c71037ccc971eef641006ad11f79eed124b83aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f7cd7926665d78feb46e6d409e18efaf
SHA1 88e22c27176e3f9b8be42fe0a9c00f3673b8f086
SHA256 4748a554e80a64c845fe1c55117caafb9d0e9be035409739350268471d75a204
SHA512 1aecf6551597265e06c71048ff1e7fe2ceb6a224d04c8c287ce5d790124ef1a66b1cb0acd4d241ce0bf5c141f9d862c8046e82e87d4c73986c0c60a20912b4be

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2133332b284d8d332c9188a251f7ee9a
SHA1 18891ed2e304c7a6126d10c5331c11d7e8075428
SHA256 1169bb249e27652711facaaee1d3a8c8c280018760bda947bf181ef2fe5e8810
SHA512 321115b9e9662904283b209eb74551eb75df6c13c51a02461c91d22cecbef01d93279b63b30ecbdf0d5d27875e4467578e03643c790c667cd68bef36502d86b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bb9bd786cd0f91601db6c062210f1b8b
SHA1 32710aa98c02ee950aa313e14645a1dd4d06c908
SHA256 532e5674f88bf0895132aabbc959e32f2f6171ee8c24ef8c007830e5a7d334c4
SHA512 7c1616f14f04384fef1004f9315fca89aadb321935aafd1b208ce72cccc6d18d5b1288ed3c6ecdf70cad78dcc4520904bc29eb9f5825b4b11421f5fd5eeafbaa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 10aa12608772778c7750ccbb0f36c47a
SHA1 afb59c3b902d59d53e0f605047cae9503149bf55
SHA256 794578f02594831b54ad81aa581a43262601a04c56b25abe5a5f95c26cfded10
SHA512 5750adb6b0e6f953d5b0a29435091144591aa6904b1abf6253c725b9f28215131800222f678eed197d8126ea5c16fbf3761aa28c1ad51dac40b1b18f5c3a62bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 51c4553059afd6f433e03c597b8ee382
SHA1 a30b986b0eb1d2949bffa13bb777cb85f94aac7a
SHA256 9e0982fb6235328fa1efbe8b63ca02e8652b5b70a9796dcdc4cb6888aa8f8903
SHA512 1276a1902c3fcfce1af1d917a233b31c24f308ee880754a8ff7bfe3e5924302ad3a84637fdfbe530ee0f95cb6ec9979926484796c7466d34116ea9df745444b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fedd79e193f65b681163bf92818b042e
SHA1 c4f81bfdcb31d875c7d123464c8632307fa753d1
SHA256 771ad117cd4694c64a0ba8f523f490c22e78a94f7b7a177f13d34c0065d5b4ab
SHA512 a53a5ebcda10b7eb404775dbed4a64070480a685a8f8773213bf835ba63f5cef401da423b561c254f2f1846f390a4291476cc62da0f196d4dd3d1da68218d16f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 55c07df4802e15ee32d3590c5dbece82
SHA1 a14a7487da2985e874562d988dc105fa925beff7
SHA256 cbde966e852a2718f035655406f1a0ccd83d5ee1e6cc1e635532cec678661752
SHA512 8f8659b7906d5bbcfb6cd6ee5487df3e54ea3d076639c54009543f0ad684f222826d7bc10f830ad9c3ab97ab5ca55be57ba0f906cc3da3779a1b57f35e02120b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 05fcc4f6a6d3291b41cdd5f8b64c4756
SHA1 96a975526e27573ed92f609b358ed1f54eb443c3
SHA256 08392953b24864e0bf0a57a1b216fef5b4681710f09111c62cfa38a23b0f63cb
SHA512 6ea3ff6815f61d703a47d0173409b993decba41287c75fc5c075694272093f5458cb78a21c4e28fcec9bb3fcde79b39b4eb8e439d5376bbdef82dbb7971a13de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b93d3379261be9a5e53feea427f78239
SHA1 005588cebd35cbf8bdb95aca892bfc1464d28efd
SHA256 399f694a4774d092532eeb96a382ad83f8d4a16ee5b68fc1d8883e43d9e9be4a
SHA512 1afd22694ef0396e4932691f3e4e0f03701a8fc9b6ce32eaaa35d7af29636a7d5a835dbd09ba03475c690003187bb0a8bbc0c2fe553e65c188969428ff41b105

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5764b984d408362de20042178c7211fc
SHA1 b960a42ebaeced3da9dec8600bb586d46e0a3599
SHA256 3fbc562004b44eb8fd8fe3ff385eea1d3a8ac65f484d68a961f2068ba36b7e9c
SHA512 335def9170c660aa90414a67091eadcc46f90399c690041a5f2e77b8eddd691f13664e58a3f67cc28d5fa521ea5cfdb16ad997acb2d6ca73a376708e6fe7f3ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6b6171558f2e964f967c566337b14b7e
SHA1 03d884e56f45d684c7a07b6fe5acd6920380a5d2
SHA256 52b2c376bcae00a1142f0f9c004171ac5465847cd15f8a3efcf6d5f8bfcb6859
SHA512 504309fd3cd3c341485f9356441badcd7281d21809187cad7fc1d3376cdd111b830ad0571598ea5d3027fc965a1927b744a89f68e79064a294ef9cc0b792ad98