Analysis Overview
SHA256
a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Threat Level: Likely malicious
The file code.vbs was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (24552) files with added filename extension
Renames multiple (13075) files with added filename extension
Drops file in Drivers directory
Possible privilege escalation attempt
Checks computer location settings
Boot or Logon Autostart Execution: Print Processors
Modifies file permissions
Indicator Removal: Clear Windows Event Logs
Drops file in System32 directory
Enumerates physical storage devices
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 15:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 15:49
Reported
2024-10-11 15:51
Platform
win7-20241010-en
Max time kernel
80s
Max time network
19s
Command Line
Signatures
Renames multiple (13075) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\ja-JP\scsiport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dxg.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\qwavedrv.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\sffdisk.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\ataport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\modem.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\mpio.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\BrParwdm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\umpass.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\partmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dfsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\rndismp6.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdbss.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\intelppm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\rdpwd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\isapnp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\wdf01000.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbccgp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ULIAGPKX.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\GAGP30KX.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\kbdhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\umbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\ntfs.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\pciide.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\TsUsbFlt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\bthenum.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\wacompen.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ndproxy.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\WUDFPf.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\msdsm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\afd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ndis.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\agilevpn.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\isapnp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\http.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\ipnat.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\lsi_fc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\rdbss.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pscr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\Dot4usb.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rdbss.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mup.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usb8023.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ataport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdpwd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ksthunk.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\atikmdag.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\acpi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\usbdr.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\flpydisk.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\sfloppy.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\usbrpm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\pcmcia.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\usbrpm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mpio.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ntfs.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\de-DE\mmcshext.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\prngt004.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd64.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpfiew71.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\iesetup.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wmvdspa.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\typeperf.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\pt-PT\comctl32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnkm004.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\AVerFx2hbtv64.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\prnca00c.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.gpd.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHC23N03.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\wsecedit.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\mlang.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\SODPFP90.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\wlanmm.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\msdt.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\perfmon.msc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wevtsvc.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.gpd.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\procinst.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\unregmp2.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Msdtc\MSDTC.LOG.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnport.vbs.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\perfctrs.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\mssphtb.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\prnky005.PNF.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\fr-FR\mdmirmdm.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\conhost.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\Bubbles.scr.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\pnrpsvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\gameux.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\sysntfy.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~fr-FR~7.1.7601.16492.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\WceISVista.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1431E3.PPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\vsmraid.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\Bubbles.scr.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\prnso002.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\deskadp.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\netcfg.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\wshom.ocx.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\prnep005.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS1616.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\SoundRecorder.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\localspl.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migration\en-US\WsUpgrade.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\mapi32.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Dism\de-DE\TransmogProvider.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYW7QUR5.XML.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_neutral_379fb0c62496be6e\usbcir.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\msident.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0340.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Microsoft\Protect\S-1-5-18\2fc1718f-06ae-4245-9626-f33f11ea9a9b.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV36N6.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\WWanHC.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\eudcedit.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\IEAdvpack.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\qd3x64.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 972 wrote to memory of 2480 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 972 wrote to memory of 2480 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 972 wrote to memory of 2480 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2480 wrote to memory of 2220 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2480 wrote to memory of 2220 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2480 wrote to memory of 2220 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2480 wrote to memory of 2968 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2480 wrote to memory of 2968 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2480 wrote to memory of 2968 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
Network
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 15:49
Reported
2024-10-11 15:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Renames multiple (24552) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\srv2.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\de-DE\WUDFUsbccidDriver.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msiscsi.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\xinputhid.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\iorate.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\serial.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\sdbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\mshidumdf.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dfsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\scfilter.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\SgrmAgent.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\sdstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mslldp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\disk.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vwififlt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\usbstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\BTHUSB.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\wacompen.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\it-IT\SensorsCx.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dxgmms2.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\KNetPwrDepBroker.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\iorate.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\ja-JP\idtsec.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\null.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\sermouse.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdbss.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\tsusbhub.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\agilevpn.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\synth3dvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\RdpIdd.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mshidkmdf.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\raspppoe.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\scfilter.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\sdbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\wfplwfs.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\sdbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\cldflt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbd.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\luafv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\de-DE\wpdmtpdr.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\SensorsCx.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\sdstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\fvevol.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\rdbss.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\hidclass.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\IPMIDRV.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\exfat.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\afd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\BtaMPM.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ndisuio.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rfcomm.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\smbdirect.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\mslldp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\UsbccidDriver.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\HdAudio.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hwpolicy.sys.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Dism\fr-FR\SmiProvider.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\dot3api.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\BackgroundMediaPolicy.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\KBDBE.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\SCardSvr.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\mbtr8897w81x64.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\dot3cfg.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\MdRes.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Windows.Networking.Proximity.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\netrtwlane.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\ngccredprov.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeam.format.ps1xml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Http-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\eapsvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\shlwapi.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\vac.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\twext.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\activeds.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\VSSVC.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ConfigCI-Onecore-WOW64-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\prnms007.PNF.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\C_10003.NLS.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\smbwmiv2.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\PresentationHost.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNoteNames.gpd.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\NgcRecovery.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\w32tm.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Hydrogen\BakedPlugins\Animation\preseteasecurveinoutexpo.hbakedcurve.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migwiz\replacementmanifests\iis-sharedlibraries-rm.man.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migwiz\replacementmanifests\SettingSync-repl.man.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\ja-JP\vsswmi.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\FXSTIFF.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\Windows.Devices.LowLevel.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\NetTCPIP.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\nltest.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\SettingsHandlers_Geolocation.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\mfplat.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\eapphost.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_fssystem.inf_amd64_89e15d7e662d6584\c_fssystem.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\pcwutl.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\IME\IMEJP\IMJPCMLD.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\TieringEngineProxy.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-UltimatePortableDeviceFeature-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\lpr.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wfcvsc.inf_amd64_dfe08f401a2eedbc\wfcvsc.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\FirewallControlPanel.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\zh-CN\quickassist.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\upnp.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Speech_OneCore\Engines\SR\spsreng_onecore.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\msv1_0.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Server-D-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\hidserv.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_3ae2ea3a55ec0279\mdmsier.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\fr-FR\wvmbus.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\appmgr.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\wbadmin.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731353600722318" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb6a2cc40,0x7ffcb6a2cc4c,0x7ffcb6a2cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2512 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2036,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2624 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4896,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3332,i,2246984266791491869,6793076274077975382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.46:443 | apis.google.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.msiservers.lan | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.server.lan | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4032_CJZODIEPCXVEZBIU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 693c9daf41305cca6ba09b4114a00164 |
| SHA1 | 0e9d0911b397e49bc52f077d5224862a7c7af821 |
| SHA256 | 264649a741e54ecbbf8d2db336bd031d9e64aca0bfff19c3bdf3af9f6c703a0a |
| SHA512 | 768422b800796a858fb24ed488e2ccd04fd68a7fb2628d23a8842537d2fa27d2cf5c9e8a0057a25c40459354f4c0def6a00f4c11f74cd108dc9e4bf974f2bb08 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ff7e07784f9366656f4cde5cf74fd0fd |
| SHA1 | 98e0a749f7bcd9fc4172b3d424eb131cb744d9e4 |
| SHA256 | d6be5ba8a76eb63ad5317dc6667f396a43079c36dfab1cf16c38717d202950ef |
| SHA512 | 98e33549d4fc136a02a1f0432d3b789cdd7210b4f3c88d1cd693ac3794055b2f6360ae3f3bdf15efe670deec0c250b9f8e836e147ac66dd0232fbb7c12e0be2d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8dc7a58daa4edb23a1d05ec1e85418f1 |
| SHA1 | 8f591d48a440a33c33b5659accda39384cdead23 |
| SHA256 | 776f36bebb89f3e962dc5f322531a6fc732e21e83cce0a1ffc42beb31470a81f |
| SHA512 | c4362300d338adcdab000c56b291dcef6e4a53616960a5282e94038da3a86b6eb1633b50a8fca093a3d8924d3c71037ccc971eef641006ad11f79eed124b83aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | f7cd7926665d78feb46e6d409e18efaf |
| SHA1 | 88e22c27176e3f9b8be42fe0a9c00f3673b8f086 |
| SHA256 | 4748a554e80a64c845fe1c55117caafb9d0e9be035409739350268471d75a204 |
| SHA512 | 1aecf6551597265e06c71048ff1e7fe2ceb6a224d04c8c287ce5d790124ef1a66b1cb0acd4d241ce0bf5c141f9d862c8046e82e87d4c73986c0c60a20912b4be |
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2133332b284d8d332c9188a251f7ee9a |
| SHA1 | 18891ed2e304c7a6126d10c5331c11d7e8075428 |
| SHA256 | 1169bb249e27652711facaaee1d3a8c8c280018760bda947bf181ef2fe5e8810 |
| SHA512 | 321115b9e9662904283b209eb74551eb75df6c13c51a02461c91d22cecbef01d93279b63b30ecbdf0d5d27875e4467578e03643c790c667cd68bef36502d86b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bb9bd786cd0f91601db6c062210f1b8b |
| SHA1 | 32710aa98c02ee950aa313e14645a1dd4d06c908 |
| SHA256 | 532e5674f88bf0895132aabbc959e32f2f6171ee8c24ef8c007830e5a7d334c4 |
| SHA512 | 7c1616f14f04384fef1004f9315fca89aadb321935aafd1b208ce72cccc6d18d5b1288ed3c6ecdf70cad78dcc4520904bc29eb9f5825b4b11421f5fd5eeafbaa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 10aa12608772778c7750ccbb0f36c47a |
| SHA1 | afb59c3b902d59d53e0f605047cae9503149bf55 |
| SHA256 | 794578f02594831b54ad81aa581a43262601a04c56b25abe5a5f95c26cfded10 |
| SHA512 | 5750adb6b0e6f953d5b0a29435091144591aa6904b1abf6253c725b9f28215131800222f678eed197d8126ea5c16fbf3761aa28c1ad51dac40b1b18f5c3a62bc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 51c4553059afd6f433e03c597b8ee382 |
| SHA1 | a30b986b0eb1d2949bffa13bb777cb85f94aac7a |
| SHA256 | 9e0982fb6235328fa1efbe8b63ca02e8652b5b70a9796dcdc4cb6888aa8f8903 |
| SHA512 | 1276a1902c3fcfce1af1d917a233b31c24f308ee880754a8ff7bfe3e5924302ad3a84637fdfbe530ee0f95cb6ec9979926484796c7466d34116ea9df745444b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fedd79e193f65b681163bf92818b042e |
| SHA1 | c4f81bfdcb31d875c7d123464c8632307fa753d1 |
| SHA256 | 771ad117cd4694c64a0ba8f523f490c22e78a94f7b7a177f13d34c0065d5b4ab |
| SHA512 | a53a5ebcda10b7eb404775dbed4a64070480a685a8f8773213bf835ba63f5cef401da423b561c254f2f1846f390a4291476cc62da0f196d4dd3d1da68218d16f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 55c07df4802e15ee32d3590c5dbece82 |
| SHA1 | a14a7487da2985e874562d988dc105fa925beff7 |
| SHA256 | cbde966e852a2718f035655406f1a0ccd83d5ee1e6cc1e635532cec678661752 |
| SHA512 | 8f8659b7906d5bbcfb6cd6ee5487df3e54ea3d076639c54009543f0ad684f222826d7bc10f830ad9c3ab97ab5ca55be57ba0f906cc3da3779a1b57f35e02120b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 05fcc4f6a6d3291b41cdd5f8b64c4756 |
| SHA1 | 96a975526e27573ed92f609b358ed1f54eb443c3 |
| SHA256 | 08392953b24864e0bf0a57a1b216fef5b4681710f09111c62cfa38a23b0f63cb |
| SHA512 | 6ea3ff6815f61d703a47d0173409b993decba41287c75fc5c075694272093f5458cb78a21c4e28fcec9bb3fcde79b39b4eb8e439d5376bbdef82dbb7971a13de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b93d3379261be9a5e53feea427f78239 |
| SHA1 | 005588cebd35cbf8bdb95aca892bfc1464d28efd |
| SHA256 | 399f694a4774d092532eeb96a382ad83f8d4a16ee5b68fc1d8883e43d9e9be4a |
| SHA512 | 1afd22694ef0396e4932691f3e4e0f03701a8fc9b6ce32eaaa35d7af29636a7d5a835dbd09ba03475c690003187bb0a8bbc0c2fe553e65c188969428ff41b105 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5764b984d408362de20042178c7211fc |
| SHA1 | b960a42ebaeced3da9dec8600bb586d46e0a3599 |
| SHA256 | 3fbc562004b44eb8fd8fe3ff385eea1d3a8ac65f484d68a961f2068ba36b7e9c |
| SHA512 | 335def9170c660aa90414a67091eadcc46f90399c690041a5f2e77b8eddd691f13664e58a3f67cc28d5fa521ea5cfdb16ad997acb2d6ca73a376708e6fe7f3ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6b6171558f2e964f967c566337b14b7e |
| SHA1 | 03d884e56f45d684c7a07b6fe5acd6920380a5d2 |
| SHA256 | 52b2c376bcae00a1142f0f9c004171ac5465847cd15f8a3efcf6d5f8bfcb6859 |
| SHA512 | 504309fd3cd3c341485f9356441badcd7281d21809187cad7fc1d3376cdd111b830ad0571598ea5d3027fc965a1927b744a89f68e79064a294ef9cc0b792ad98 |