Analysis
-
max time kernel
359s -
max time network
359s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240426-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
03/05/2024, 13:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://youtube.com
Resource
win10v2004-20240426-uk
General
-
Target
https://youtube.com
Malware Config
Signatures
-
Detect ZGRat V1 11 IoCs
resource yara_rule behavioral1/files/0x000b0000000235ce-1128.dat family_zgrat_v1 behavioral1/files/0x00070000000235cf-1133.dat family_zgrat_v1 behavioral1/memory/3876-1229-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/files/0x00080000000235d3-1286.dat family_zgrat_v1 behavioral1/memory/3912-1288-0x0000000000D60000-0x0000000000F3A000-memory.dmp family_zgrat_v1 behavioral1/memory/3292-1306-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-1429-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-1455-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-1469-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-1484-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-1508-0x0000000000400000-0x0000000000AAC000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\audiodg.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\audiodg.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\audiodg.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\chrome.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\audiodg.exe\"" Bridgesurrogate.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 648 powershell.exe 2884 powershell.exe 1412 powershell.exe 2340 powershell.exe 3064 powershell.exe 4432 powershell.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Bridgesurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation SampCheat.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation ._cache_SampCheat.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation SampCheat.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation ._cache_SampCheat.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 10 IoCs
pid Process 3876 SampCheat.exe 4388 ._cache_SampCheat.exe 2820 Synaptics.exe 1164 ._cache_Synaptics.exe 3912 Bridgesurrogate.exe 3292 SampCheat.exe 2912 Bridgesurrogate.exe 1452 ._cache_SampCheat.exe 5620 Bridgesurrogate.exe 5860 SearchApp.exe -
Loads dropped DLL 13 IoCs
pid Process 2820 Synaptics.exe 2820 Synaptics.exe 2820 Synaptics.exe 2820 Synaptics.exe 1412 WScript.exe 3292 SampCheat.exe 3292 SampCheat.exe 3292 SampCheat.exe 3292 SampCheat.exe 2328 WScript.exe 1452 ._cache_SampCheat.exe 1452 ._cache_SampCheat.exe 3476 WScript.exe -
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" SampCheat.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\WindowsRE\\audiodg.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\WindowsRE\\audiodg.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\NetHood\\chrome.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\NetHood\\chrome.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" Bridgesurrogate.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCE7A81917C93A4AE6B67D9565844629EC.TMP csc.exe File created \??\c:\Windows\System32\t4pfwd.exe csc.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\SearchApp.exe Bridgesurrogate.exe File opened for modification C:\Program Files\VideoLAN\VLC\SearchApp.exe Bridgesurrogate.exe File created C:\Program Files\VideoLAN\VLC\38384e6a620884 Bridgesurrogate.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\es-ES\RuntimeBroker.exe Bridgesurrogate.exe File created C:\Windows\es-ES\9e8d7a4ca61bd9 Bridgesurrogate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592171950165471" chrome.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings ._cache_SampCheat.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{8BB28F77-6118-45CF-BC14-9B44D0FF7C81} chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SampCheat.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings Bridgesurrogate.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SampCheat.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings ._cache_SampCheat.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 taskmgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5448 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1140 chrome.exe 1140 chrome.exe 4852 chrome.exe 4852 chrome.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe 3912 Bridgesurrogate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 844 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: 33 1236 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1236 AUDIODG.EXE Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe Token: SeShutdownPrivilege 1140 chrome.exe Token: SeCreatePagefilePrivilege 1140 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 844 7zFM.exe 844 7zFM.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 1140 chrome.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe 5656 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2820 Synaptics.exe 2820 Synaptics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 892 1140 chrome.exe 81 PID 1140 wrote to memory of 892 1140 chrome.exe 81 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 4216 1140 chrome.exe 82 PID 1140 wrote to memory of 1820 1140 chrome.exe 83 PID 1140 wrote to memory of 1820 1140 chrome.exe 83 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84 PID 1140 wrote to memory of 2724 1140 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://youtube.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc451dab58,0x7ffc451dab68,0x7ffc451dab782⤵PID:892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:22⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:1820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3356 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4544 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:3860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵
- Modifies registry class
PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:3576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:2292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5048 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5756 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5904 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:2412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5992 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:12⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1896,i,4580327439536763729,6649002662069178792,131072 /prefetch:82⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4732
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3684
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SampCheat.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:844
-
C:\Users\Admin\Desktop\SampCheat.exe"C:\Users\Admin\Desktop\SampCheat.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3876 -
C:\Users\Admin\Desktop\._cache_SampCheat.exe"C:\Users\Admin\Desktop\._cache_SampCheat.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"3⤵
- Checks computer location settings
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "4⤵PID:4796
-
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vucraqwk\vucraqwk.cmdline"6⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE277.tmp" "c:\Windows\System32\CSCE7A81917C93A4AE6B67D9565844629EC.TMP"7⤵PID:4344
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\chrome.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\audiodg.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\SearchApp.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GG3qQO2d8b.bat"6⤵PID:4152
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:5296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:5448
-
-
C:\Program Files\VideoLAN\VLC\SearchApp.exe"C:\Program Files\VideoLAN\VLC\SearchApp.exe"7⤵
- Executes dropped EXE
PID:5860
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Users\Admin\Desktop\._cache_Synaptics.exe"C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"4⤵
- Checks computer location settings
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "5⤵PID:3588
-
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"6⤵
- Executes dropped EXE
PID:2912
-
-
-
-
-
-
C:\Users\Admin\Desktop\SampCheat.exe"C:\Users\Admin\Desktop\SampCheat.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3292 -
C:\Users\Admin\Desktop\._cache_SampCheat.exe"C:\Users\Admin\Desktop\._cache_SampCheat.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"3⤵
- Checks computer location settings
- Loads dropped DLL
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "4⤵PID:5564
-
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"5⤵
- Executes dropped EXE
PID:5620
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5656
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:4652
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD5f0817915454c14a131a03bb1e970a3d9
SHA140bba77a1b68a36053d1cfce4a8820eeef1108df
SHA2569983f72ca78bee90d64610d7bd9bce46c075674f22307494ad40982ff760978d
SHA51200a97f09edc0824207fe5bf10e6d7ab903740bfb507db085b912e58a62f8ec814f05940bcb263163bec71e71def1ff9868fedd7b0348b4146a70198a00606c66
-
Filesize
5.6MB
MD5d5eb73597ed0a278e1a993ee15c5cdb1
SHA1c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341
SHA256b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404
SHA512538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932
-
Filesize
224B
MD5e6aa5a9a61e5a14929496cc623751fcb
SHA1e5e193008aaf6155d8959d1f237297e134c8c69f
SHA2564518eab1e079194970bee0b64f0dc5151e2208a48a94672e9a98fbe046e6a7d9
SHA51245a4385a57d928587194313bd04ea42714619e2a3f35f8c7af0d930507f1e717dfd9c4d00c36514a826fb2e5090ed7e9b8a76f099798d2c468910c40e1d7cd0e
-
Filesize
15KB
MD5c0ef4d6237d106bf51c8884d57953f92
SHA1f1da7ecbbee32878c19e53c7528c8a7a775418eb
SHA256b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
SHA512c96947d47d49d8c09973c760f066b0fc600d9caa9f5972eac1d61c7d06d7c6c28c4b280827c576a63097c7daf6609b4930ad34a353fd784e748cadbdb971d4e6
-
Filesize
218KB
MD5db58814e73b8dcf7bf565f2cab11d7c0
SHA168a11b423c9cb3301955a360f2ee7c37d216afde
SHA25686884c4eae6f40374250b89a320b020427ddd9b01cf598ff6f6b9a489e804f67
SHA5122244b518e697dcf61cdfcd13a614c605df140a789905967318a790e1d990713e3e79b25d051b2c8fe168da212bb7833242df7c0de81f7d866b9f5817b3621f34
-
Filesize
46KB
MD5b322e56a86b24d52ba6c2a10614ce78e
SHA19a990a198453af55e2c86f8a85ef6eebcb296f4a
SHA2563df48c3c951cd9bde194b92d644cb82eacb0ea91d01761fbafb645c4462b816e
SHA5120aa6f828d3a3472325651075887379ad159c348c4399b10e0c3b2556d52f879e1f57b4e8a80c77c1845653d0fa50c8b228c5ac684ca70b79b98c245e4d38ebe1
-
Filesize
792KB
MD553b61f5b29c1179b0279fbd9498a1536
SHA1140f44cd9d51ae81295ed199ccee46a7d37430dc
SHA256197e9e4a9e3855014800c3bfb36a9e2c2082dc9ebd743cb7a3cf43736fefea2f
SHA512e7c6ec98a1e299e4a6c711d02d1c3a27cb3d22be2480f02ec458c9d119e48f70843d441729f3cb52c1f2ffcf4581692eb61ff644f99f88eebaf7c9af4d5cd57d
-
Filesize
32KB
MD54691023a524333adb2337720b52adde0
SHA1a92c4dc3df565cfeed1e15ea4ff059ba01fd9248
SHA25619f1853554fe7305eeed5dda5c8f0c01f51e2e14ca101f129ace3ae25f5c3d8d
SHA512e7c9da80f49c888db06da32da467f8166c5e10374c207e2b7ad29a32d504c97491d96d5c298f4e070f857bff045bf4af25391b69cad5d5d379bb3054c4da8803
-
Filesize
32KB
MD5eda13c6b6a5166489f77c8d20050d7eb
SHA183d1706bc1bb4b7e491045b945c3b50db09f58dd
SHA2566031816aca7ea5570e205613e1d9ca27f99dafad04dfaa478b78b7127acbb637
SHA512b8cf001a29d1c1a1d9d075e7e695cd913d946ab657b77ef1e23bcb452cf301f7c6a7d7c6da921e49b56108e7794ec974ce44c0fe058180aa5c9e7771f2906357
-
Filesize
146KB
MD5e487227847af9aa3774d3ec327c9c24c
SHA17fdfda0bd77288a7492475d090dd709ac5863bb5
SHA256cac591400bfabdb551d4eccf88eb0de34f7dd3fc73e55ec905bf353477df625c
SHA51256e6a119e1fcd8854de68b0a2f8d3d7261b339797f419f22a2af35b21979e8a018a853494ac4a3aaab2be54d1dcf76dcdd62fb8e6f3c8913fad829f7502be34e
-
Filesize
744B
MD57d6eb28de4173deb65620386e4199380
SHA1c9c0cf46750331352ddfa604776bd64048f02f24
SHA25630a589c87fb6741a4c44a827413a88b97a53fd338f97040a78088f927d71ca85
SHA512fa5ca9451c980f16336475e5c0b67207275bb48bc22ee6835d65fcca8096eb63490c149e311e1d93ce69285c1824fe6c483a6083afe496afd5e83d29dcbc6c7c
-
Filesize
720B
MD506d573682032a0aa04d6062aa8c1e93e
SHA1c5d2a1b2a41a9f5f04a2368b49d9b228892f9236
SHA25644190d8c4e5b9efa8fc86436674f96d4234333512757102598694985f14df18d
SHA512a6394d187f1f5244551712acd78ea748b90790c77cef3d9a53934c98b93b49c61ef6593289d753fb642496378fbc2b7baf6f256e077bbec2ec0fc1ca4ef71394
-
Filesize
480B
MD56822ff35fc2fe8ca472049f392fc491c
SHA147a85fae14aa2dcfd5668e5b80707efceba5aa6c
SHA256cdb20b3d7ba0748ebc6955c8d377b1d472c7b12728c353528e6a1fa25c0b47c9
SHA512a58c68799a97f6ec366f4943f152a8e5fb5835252fd0b8c3bdea585ee867eb290389d15c270a45b40ceb050ce1cf94ed5b1b2977ff2a7d3463c11cdce647c3ce
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
4KB
MD56bffa9fcde2ab2bd6fc1ebbd381985be
SHA180561843b7b6cceb1f1fa66cfca5769996eb060b
SHA2560005bf1db3cece1e72a0a01134c3f789ed4f31b1ed0b4fc69b55bbe33f324f54
SHA5120797bb5bb2a2a3c2397fc33510d9379872e23288eda74b2e328d7dd84dabb9ae00ee2a6e067a24e7e065bfe7d6aea4de1ae0ab47765fbfcc8565ea72e3aac0f2
-
Filesize
5KB
MD5c4a57dfb2159fffd154be9d847f06767
SHA1faca55d707e860b701e836cb3f58418c87345cad
SHA2562b59832c1fe38289a28514b4135068655ec73640c5a443a9fcaf3dbeceaa56a0
SHA512aee702b493466435e6c7a7437643365027ba2004c3103ef0c24f00d7528b739a0a6a928a14aafa2d1a27c2b1fc0c2e59483c19addbf22f96916eb37658b22735
-
Filesize
5KB
MD5b711f01c6135801962fef3317e4a17b8
SHA1254e55289df499af7df719a78daa127dd3301999
SHA256b0af96f009d35921fe57e332a477e3a77de9ec9cf57922f5671aa20aa7642b83
SHA512f834268673209011ee4cd754077676e9b869f93c05d504a74be3d31c09157fc4fa07383f1a84e00a06593a251715eb92d0ad838684fc3a4f96cfd08751debf37
-
Filesize
4KB
MD5d1e197b0fb1832cec83cd1b0f7c1f61d
SHA1cacf5e40e83566d6c2a562648cd2f5b9065c762a
SHA25624e4ecd325172929abcc0100bb53c6c2e36709f962878a793a358d6bd78ae940
SHA512eb834a11af0913d166f642c29b1aaf969b1a2649e83c708ba15f5c2c7f6c3b6ad9563bfcb81a714ba2e4dc2bf0e0a6d351c61568e80806d9f84367b0b6f0ce4c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
859B
MD51554a7b967fb124cedf6355b1a44b8a5
SHA16c04af751057d175934741fd8e584f92b4a7e9e2
SHA2561f2c78a7e6d1e6b0b5bcf479d143d7b1af3c144faf855334f9dc9c4116c48cfc
SHA5128f10455d8726f4965d376f854efcca730223c5682a293eb4a8bc3c4e136786f74afdd6c55e2211378bf14006ae7c04de7475c992ecee82bf696176989990becb
-
Filesize
859B
MD5b50571004b7acfd1c06e46cfdc13401b
SHA132c126b85e4c4760c85b68ff03571e2e97998fec
SHA256df65ad1f37c25fc7bd6fa1ee5a1f660f5dd3d2e81ab5420944d4d956c41345d2
SHA5126053dce1379a201621bcacf1b3106fefb7352f58247899648e3a276aedad56256add10b7f7919d0455583baa8ce5d3f9da8ea88af9cd0e7ced2a3193c8b77b86
-
Filesize
1KB
MD545881e4e67d8898c5b487d2a9c3624c2
SHA1256866f789aeb66ab7e81b81035c6a65c3cef0e5
SHA25610ef1e79fa55d34ff61e1cb252d36adc1748831c2d90ee94c2cb3e096bc61ce6
SHA512a2341aedb6e858d07666daf0805d56084ec90cab4b8bf61561762be01b29b0a47c8eb55fa2790cfd22e7718ae05b69361ab755f0c4aa2e53569926061a15f7ee
-
Filesize
859B
MD5dcd50279335cd9d7eacd4189fe714f62
SHA18370e71fb9064585f9c6a08ea1962b08a25ee223
SHA256ce03f5a9d66b50d318450ab124b2b4c8b395e40ab87456595ca993a2c3ad4690
SHA512e3725e5e905e728b478d6cfbfe55a4d08f9645adc92c1ca46c9b0bad33d69cfe110b502bbeb271035d4fd828e8f55d7924050b226a1969795743ad069350bd73
-
Filesize
8KB
MD5458f3287759449e11682ed4afc4bfec8
SHA13ccd84eb085788cc2abe46322806d0e610277254
SHA256f4ea8de89e3fb53e6cf1b83c8fa09e48f30df3d974d1562bc53f7afd5d204e30
SHA512e559405ee13b7b7bc5347e8df66b3ca0a7fd740a967c503a7f1d7c64366ef9bbc4d488b8608c3da7ef20ac30cf5da1b5870feebf0e2f9219da00418e68798834
-
Filesize
8KB
MD53495f9b310597e47d695c6c307964d71
SHA1744a28f4c8ccacacd4593a5c4f86f00cbb2b7724
SHA2566a328fe00acd8ded75e9ca1911a23de63e939418cca7f64ae78a9eee0a4664d0
SHA512b0234fac17e709137d473812e91abdca961caefad15e050d3fe0e7ed8dd1b5564005b1819dd62f43f4890ede9669caa1d8ad205977d69f0c69446a52f0a81d45
-
Filesize
8KB
MD5ac60c5cc9ad2d4db23bd316b225b3d60
SHA118d93ed64ccc9eb26bdb8f3f8b1f1f198656f410
SHA2562046eb501132c61cf3641fa50118da5b991a96d6209ea96a8b24fc396e6b3afa
SHA512c20778189cba2f46d45491714ec27a318746ee7b3729b3b3d56c88c2408e1c2c4eb6666692dd95078d4b11e57c91776c69e992676408dde21503b55636525763
-
Filesize
7KB
MD5387a59b511aeeca261b34fee048068d0
SHA1a2731695391d6d45897c267eb42a13f9c794fba8
SHA25649049b1a695c4db060c956c2399a50b60f4d3d675cf3bea73f102a3bc3b1959e
SHA5127cb2d5fed561447159367dd87b7ebf5e84b23ce6fbe8e517158dddccca83b9c55fa57bfdd3b48c80af980133427bec331b906d5b66786ba797ee6522a080e455
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54a0eff0-ef2e-43a8-9df5-f7dcd13df3e3\index-dir\the-real-index
Filesize2KB
MD5c1f4bffb68a4af23c1538f03a7d296c5
SHA1925cde6e71ac5d5276d22a8542a324b826828c80
SHA256b415abb8e5f4dff3fdc54e3ca518363415746b9e001a525abbe20fd64ebb9b1f
SHA5126f74e3067a4fc8945dc34303d63786928cb1e22db9f7f7e38d45b14659be2c3d4d5bf4ee141046eef4e399286150f0bb4590d5934733fcae9c7332945128022d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54a0eff0-ef2e-43a8-9df5-f7dcd13df3e3\index-dir\the-real-index
Filesize2KB
MD50843b2c09d865bfdc1debad66c17ea89
SHA103374a983d7fb87a45ac2684199e3ad6b65f307e
SHA256c883e15dc3a44ce91a195ed66d23c412fe7cd6820102666a3d95db86f6646169
SHA5128b18061525efe5569988f31b1916bd25aefaf22580e9342ccd751365492588d3b1d28b291a5398047cae95ed72cb74679799f6a3f91df482fc04725c88a23373
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54a0eff0-ef2e-43a8-9df5-f7dcd13df3e3\index-dir\the-real-index~RFe57a0f3.TMP
Filesize48B
MD5933d09e9cc740cc85a83a62bc274fad6
SHA1c50d6105f6246de22f2384b5c0f2fba2dd56639c
SHA2563fc2d5697364368fb0cd824fed82f85c0f86ed090051add522bd2adf61592333
SHA51239e6aadd394c5380a0ddebaf5938fd0cea91eaac3645b357321e41ac6b74406f0f5c0a465489d04fd1495c1af4fe038f5b43ffec81a2ba4e7283e8f12337f813
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\727930b5-9453-475b-aaf8-a31877c124da\83a1665e107c0f73_0
Filesize2KB
MD585343e6c7d02338aaff58882f1852a20
SHA13d2f8427492f5e184d08e83c4a274711cd0aba4c
SHA256d99248a522191b4e2abd434bc23866521ad57b3d9b3ef8e0aaf3143c1d890149
SHA5125127127686a53f49653750f82b511e2ae50eefe6b4898679ad7dda92ce928e030a59a09dab7084d5823e645769d373a272f0cb5430fac34a17134a755a482476
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\727930b5-9453-475b-aaf8-a31877c124da\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\727930b5-9453-475b-aaf8-a31877c124da\index-dir\the-real-index
Filesize624B
MD5d4bc14ff143c1a716c4b811900741d95
SHA14a4698fffa76c0acb521e9f8a28e2f6211a914f2
SHA25680f3ce9020109ba164562d8d3acb88e8373f9cfa4e28028912d3ae0c4dca898a
SHA512cab439ee7d9b2550b0f414ea4274b88537e1b98294d55ce112e8c58cb944467377a6ce19db03d3154d81e5eae177ac5122f237c473646a2ed0e39d4e089a1d25
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\727930b5-9453-475b-aaf8-a31877c124da\index-dir\the-real-index~RFe585687.TMP
Filesize48B
MD5895558da52d054ed76d9a94f5bd7c857
SHA126b7990d82c58903aca0e83b86fc1c9b5db7c0ea
SHA25621c9f0346a5d939a2ed04417c7afd330cccfa811828a90b8a3747174d6b760f2
SHA5127b2a8263d8ba52cc1a9250cf78729498e67eecb6b76df62e2b52ede0f84cddc47ba8f7ea6052fec09cd6da4657c27fb2e034626b99d5406e122752bdb04f0bd2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize112B
MD589c35a40ca9775956fff54202981ec9a
SHA1f442f3a19d20e643f74710fd2d826bbe963e96d9
SHA256d20fe85a52bf5e7f78d5dbc249049832056630dd3ba3043bf661163d1685c029
SHA51204ba86dcd53c5bc40494bd581a8e6088b94da18a07e4bf3c18a6e1acc1f581bf60dc15afd7e560eb49efac97dd03bcf43357ed282ab9889717fcb2b4022794e1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize178B
MD504fb183578ab236360c0386a3cef2ad0
SHA1feb5066e8b67552c7e19e1cf6e8b7a020e18ff00
SHA2567c4f83dea3f0e428323002409cc10969e2f5abaa3eebb572257b8eb698e20c9b
SHA512218ad3f0709c00b86d29dfe2742e0dc6a1e668fe85743e80331d02821f375fc442f50e572bd22be9f93b997cae4fc812729828ebdec3a22e840f965259460390
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize187B
MD5ce23f8e8ecade8eeb2ab58751a898698
SHA1ffa015df8c5054fd31dc2506d300d3484740e448
SHA256e76639334361bc78ba5b42d1b6d26661dfe9e6d0fd8ff7dcca32ac286c0b06c1
SHA5129675c873e7fd91fe812e51da5fe7df93b32b58ca9c408f9231694bc3da2cb82fdf24388ce6174f1faac701c964fb8d497dc5fb109c634b155398601f8e47a976
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize183B
MD54f0c78414cc31d9091203c67ec66b9bc
SHA1c655be0df952267ec4d08db8f183cb35c45906f1
SHA256dc2d33dd5abda07dd279da9ed58194d0942d9f25f0b685cb89dbcc9982d8b326
SHA512bf5f7b8b76a8b44f614e945ec6dae7c759388bee478b49156006fe592b1abe85e1e2071368beb2efd1c9b341fb65fafd19c80806d23464abac955dd846bfca16
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize114B
MD54b93bdb0f242b4cc3def55f5640428ad
SHA1ce1e3723b3a82c5ce0388d2b4b03acb303f1a504
SHA2560b26f2a8abaaf1ce893114f6b8ccf5989371e17db690dd308e7474bc3b4887da
SHA512d71b874e068679626e37ffb3d1a6d7b12ad63a9a6ff1cb50444ef25358170aa4d41614fb3b3845f2f45a83c3a4f7e8c9dab7d069231765cec9f1297e53da869a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize176B
MD5ee729f24edb5dfcbdcc5d1b146d5d739
SHA12078045332fdfd9e378789cdc27b58ae61398b18
SHA256490b95796de6997709ab262d157e70fc806522921de0c3d2976364bcc07eb247
SHA512bdd690c33cc6591cbbbfe71cb1daf1e2fd4650dc677178dcf462f50317f9117eba0b6820b2344ca9d286ede39d7132b5e3b68603a00a57f9ee7d50f1284e306c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe574bbe.TMP
Filesize119B
MD540a5e11c1f3ff1162e2c1813a1e7ea40
SHA1f25d73bad2a971fd80f22c24d0d18c99871c435a
SHA256d696450f2a0f8bdef99be54135bd068a0380ebbb9de9721d927c8859c5f0e8c0
SHA5123660573ff24eb880f84dd913642d14f0290299d5a1c3a5e508037943b47c08e2c56d38663df64e562c2fc69449eb20b5324cede9a73ca098335723d5207c9961
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
Filesize120B
MD5a45d240c403ae77892c77030c031856c
SHA1f348628eee2ff79c3db99e544e5b2e1c380da028
SHA256cdfd1827b18fa55ea43abe5d5897e6edf5cc69aa58fb76920681f4002c52a076
SHA51283111b3490562c41c5fda2edb219850a232a1c4daf514ae55f4e9561babb4c1c312c023460ff392ef08e60a2c96fe28fe362672180a133de274fd4226843cab9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD55d2b905cb5a65dd6ac900a561fd88bfc
SHA1b6384868c2ff10277cb3139762d4cc45422aec7d
SHA25671102f273a50502599a930a805c5f9be799bcee45012819898d481d6e44a0a8c
SHA5123b6de485f28cdb92098eb3f5d3733ba04091c4da35f2f6ae5e6efae78277fa77994c104d38fe31615f7163de36312b1e25a0afd9edb70ff0fd493dda79013bab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize144B
MD5c1a733a7bbb25e6b5b95a1d5ffb785ec
SHA15a6571d0f107ec6ac8dd176df1c1fc6892917bae
SHA25661667dfff06a2b55c49f3c5b62a158843fe2cfd0b49a4dc07e560120e5ec93c2
SHA5121321cb881d463f692ba3c3fd71064758fd96482986b7bc1273285d8ad2f9fc0dada7344e64a58e288939be87b7c628075aaeb7d56b194e6d21a1f757a2958a1b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png
Filesize673B
MD588dfa96f9642297ff88909ca4e0f7330
SHA1ed8655bf13e6cc49395da4c760168c4148454b7c
SHA2565e5eb084cf1a650b2e122f53d36f85b67ce6e39069e399a46a25dbd34f7be286
SHA512cc2deedfeacf9f26e48cbb26e222a219905888b95634c7d91d6393b84248305ce8940816bdb3bff0f5384b9dad90f4e3905b229e06ce4b1023a1439293b240dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1140_1200500082\Icons Monochrome\16.png
Filesize216B
MD5a4fd4f5953721f7f3a5b4bfd58922efe
SHA1f3abed41d764efbd26bacf84c42bd8098a14c5cb
SHA256c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3
SHA5127fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1140_179921915\Shortcuts Menu Icons\Monochrome\0\512.png
Filesize2KB
MD512a429f9782bcff446dc1089b68d44ee
SHA1e41e5a1a4f2950a7f2da8be77ca26a66da7093b9
SHA256e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37
SHA5121da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1140_179921915\Shortcuts Menu Icons\Monochrome\1\512.png
Filesize10KB
MD57f57c509f12aaae2c269646db7fde6e8
SHA1969d8c0e3d9140f843f36ccf2974b112ad7afc07
SHA2561d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f
SHA5123503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18
-
Filesize
130KB
MD58c7804ab11d5e5eff3dea22fed1f13b4
SHA1cb75c738d2f2f391834199d0d2f0f779e2fdcde3
SHA256aac9b222394fa8faf83ca8586561041ee2da990d0cb05d18926109e6fd26acba
SHA512092775002ae899190e0ef7bcdb8298eade3e077d7c22a49ed96af83771a8a045bc78d497897cfde5103d7b0ee6932ff54e9eeaf169aab54c6e9beb20cc229cea
-
Filesize
130KB
MD53ab413cf62481feef78f834f4ecdc357
SHA1f354dde0866d73a2f42dbdc09c4f0252272999fb
SHA25619b6892f37db88fdf9423f08d990a7dfd4b538ec1983dba5bfc82e9e32f64808
SHA512fda60438e62210759328cc7df12f78d31a0361b61103ea19563b2bf47d886bfad467c8b48213c4dc589d09f6caf0a77da4325e000e287de187f79f4e678f13bc
-
Filesize
95KB
MD5b04cc4b066daf3936e23e9bbe0c0b823
SHA18a29244966445575eda933e0d2f2706d77842cf3
SHA2564dd6d46386352df8b6a313d31a0e2b929dd9e561a8117581c4c3bf9ecc91cc02
SHA512f2bf9097a2f6abd7222d7fa8d388f11849dc1abd12b19e5d3ec6a12551212b88fe1970d477ea596dd5baa1070eb1df8d4bea1fa44a485948df5cd217547a1ab5
-
Filesize
90KB
MD5796584179c854adb9dc70b4324adcf6a
SHA13a8c2e28c7a66929d7bc6cd365514c7bc236934f
SHA256995fd552216efbf3667b6ba61a73ecb10b8597f6b7827b059f456d47f1f5e101
SHA5122d17855ddac5374145c9da15343716b1fcf48cbf370aea9872c12355bd8fd78d4f2632f36dd68b7f35da1b514e9eef902b7f56f6593b5ce601a103f4554710ab
-
Filesize
89KB
MD56fb7d1d4a0a6217ec0720660498144a4
SHA1784a74dd569fed0ba0f6c8027e61685035cec518
SHA256fbec828d351f4754d74413204c055dd44c4cbbe30f7461bd3a0c0fc5268ce00d
SHA512eba2b0f43592b897def2d0ac4d7ff1c7cde4a72c05f374c306bfef0f14ad9e605178c31a4df17218f00e250ca958e8baa2116609ff2be335ef8913a5de7921ed
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
171B
MD58ba59232d2c9ae2b3581c104e9beed59
SHA1b16f1752aefa51e767a22e7079af9f40d7c8c2b6
SHA256ed48f87ea7470231e21a3aac96d8a07a3c28e1d8ca54e615d7383cf114a8eac2
SHA5128c528597c6b977bb814ec865a9ca17b271d62021d3ac05d402622bc9dd24814d5572b131d9705b8a8ed59c15b2f9d9132bb909c0944bb8ba5e29fa41a48afb33
-
Filesize
1KB
MD53eaccdf59d74a9c603d96ece0085a094
SHA105c5a75c21fc33b9be75b0be9a1b2bee9a340c7e
SHA256a3a4cc3e124ddbb6a5b47f013db16bb0f3f2359cfba604fdc92768b81a669823
SHA512d0c79e50eaef8c7f9911ff5474c1c4bf0ded653bdb5cd61ad7bd7cd38c41d426d14881afe672c8a2e57763d1b6933e108b117989872f52697ed9730e52ef2420
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.9MB
MD5885383199b4458661a083d690adec52f
SHA17f3a0cdbf4f14e71fe0061f35c121ce087918a99
SHA2567e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252
SHA512dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b
-
Filesize
6.6MB
MD573d7e637cd16f1f807930fa6442436df
SHA126c13b2c29065485ce1858d85d9dc792c06ed052
SHA256cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
SHA512f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922
-
Filesize
2.0MB
MD5ac515523cb2b3733ef577b41be25f567
SHA1de33fa0b3c4cf54453f15181d636ee019cfb68ed
SHA256b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085
SHA512ed79899f7c030696816ae969a6eea0aba82da3d6842fc7e156bcba726eabea9a761c8c84a04dc4e72094e710b6235eb980d1aea8a55b86e9f99539c95ae168a4
-
Filesize
365B
MD5b9405413cb8fb32b9bf116c2b0ab36f5
SHA1842765a5b381436fae05b4834ab4842186823c71
SHA256c1e4bb9f958bce8bc7bdedf80e514c140fa26a94f90e0e0e62770284157aea58
SHA512cf170cac6f974f83669ca0c9657aa9855cecaed7b1f75bf8b13d1adad9e6f33eb998c9210061e8fea6b8ae8140de0cf55b93e87c3cc57648e7cc5db558bd0574
-
Filesize
235B
MD5c4ee4763b3ce16aa918e5a59a9ee8bc9
SHA135aaa0362eb1abbf025bf710a359664c1388cc44
SHA256f9958cb89d0d78c166d78d8f39e343a765b606cb309868fabd0ea7dd6cdc716d
SHA5125e149eb8fc6958ae4d80df07c3a717cac8d4190b3a1a8fcc6995c6a6d8878c9464508aa5e7a57d793b728f0c498c84f527821fd6e7f10ec012126149e9f1039b
-
Filesize
1KB
MD59beedc7794aa6283d0dfe66633f0facc
SHA151dcbc25b09e1b1eed30d7e7c4ef6d10958b5c71
SHA256852142ec581e78ed8efae8c1c328654f6bfad35e875f0d815c5f36c23a0fa860
SHA512d07e046a043b4c4fd8352f0081ee5cad8585eda817f54e3a1025b16d8ac47b5d11409a6f0a3aeadb8ea04797bb7edf7edaa73214cc41f7557baa11406bb90eb4