Analysis
-
max time kernel
378s -
max time network
390s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 17:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://justd.my1.ru/load/chity/khaki/bat_vredilko_generator/4-1-0-2
Resource
win10v2004-20240611-en
General
-
Target
https://justd.my1.ru/load/chity/khaki/bat_vredilko_generator/4-1-0-2
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7zFM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 7zFM.exe -
Executes dropped EXE 17 IoCs
Processes:
7z2406.exe7zFM.exeBvG.exe000.exe000.exe000.exe000.exe000.exe000.exe000.exe000.exeBvG.exevred.exevred.exevred.exevred.exevred.exepid process 5344 7z2406.exe 4376 7zFM.exe 5200 BvG.exe 5172 000.exe 2032 000.exe 6044 000.exe 4656 000.exe 400 000.exe 5076 000.exe 4348 000.exe 6040 000.exe 3332 BvG.exe 6024 vred.exe 1160 vred.exe 5648 vred.exe 3192 vred.exe 3528 vred.exe -
Loads dropped DLL 1 IoCs
Processes:
7zFM.exepid process 4376 7zFM.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe upx behavioral1/memory/5200-988-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-998-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-999-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1000-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1001-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1014-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1067-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1077-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/5200-1087-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1097-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1116-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1117-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1119-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1133-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1134-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1137-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1139-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1144-0x0000000000400000-0x0000000000758000-memory.dmp upx behavioral1/memory/3332-1293-0x0000000000400000-0x0000000000758000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Detected phishing page
-
Drops file in Program Files directory 64 IoCs
Processes:
7z2406.exedescription ioc process File created C:\Program Files (x86)\7-Zip\Lang\ro.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\th.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\kk.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\ky.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\nb.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\nn.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\hr.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\sl.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\fr.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\nl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\sw.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\tt.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\ug.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\History.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\bg.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\de.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\en.ttt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\pt-br.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\da.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\lt.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\ta.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Uninstall.exe 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\hy.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\ja.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\va.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\va.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\be.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\br.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\mk.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\el.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\lv.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\pa-in.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\7zCon.sfx 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\hy.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\mn.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\uk.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Uninstall.exe 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\bn.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\bn.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\lij.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\tt.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\hr.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\ms.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\sl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\uz.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\pl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\an.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\ar.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\fr.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\pl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\License.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\gl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\af.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\it.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\7-zip.chm 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\ba.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\ext.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\gl.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\mk.txt 7z2406.exe File created C:\Program Files (x86)\7-Zip\Lang\mr.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\en.ttt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\Lang\sa.txt 7z2406.exe File opened for modification C:\Program Files (x86)\7-Zip\7zCon.sfx 7z2406.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Win32.bat cmd.exe File opened for modification C:\Windows\Win32.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4692 taskkill.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeexplorer.exeOpenWith.exeBvG.exeBvG.exe7z2406.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" BvG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" BvG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll" 7z2406.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" BvG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "5" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" BvG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BvG.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{27245C30-1908-43DA-A466-37BB7087FD87} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" BvG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 BvG.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 BvG.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags BvG.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 3136 reg.exe 5812 reg.exe 856 reg.exe 2000 reg.exe 5620 reg.exe 4964 reg.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 195178.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4656 NOTEPAD.EXE 4464 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe7zFM.exepid process 3536 msedge.exe 3536 msedge.exe 4956 msedge.exe 4956 msedge.exe 4016 msedge.exe 4016 msedge.exe 4808 identity_helper.exe 4808 identity_helper.exe 1568 msedge.exe 1568 msedge.exe 6016 msedge.exe 6016 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1160 msedge.exe 1160 msedge.exe 4376 7zFM.exe 4376 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
OpenWith.exe7zFM.exeBvG.exeBvG.exepid process 1476 OpenWith.exe 4376 7zFM.exe 5200 BvG.exe 3332 BvG.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
Processes:
msedge.exepid process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
7zFM.exetaskkill.exeexplorer.exeexplorer.exedescription pid process Token: SeRestorePrivilege 4376 7zFM.exe Token: 35 4376 7zFM.exe Token: SeSecurityPrivilege 4376 7zFM.exe Token: SeSecurityPrivilege 4376 7zFM.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 2280 explorer.exe Token: SeCreatePagefilePrivilege 2280 explorer.exe Token: SeShutdownPrivilege 4172 explorer.exe Token: SeCreatePagefilePrivilege 4172 explorer.exe Token: SeShutdownPrivilege 4172 explorer.exe Token: SeCreatePagefilePrivilege 4172 explorer.exe Token: SeShutdownPrivilege 4172 explorer.exe Token: SeCreatePagefilePrivilege 4172 explorer.exe Token: SeShutdownPrivilege 4172 explorer.exe Token: SeCreatePagefilePrivilege 4172 explorer.exe Token: SeShutdownPrivilege 4172 explorer.exe Token: SeCreatePagefilePrivilege 4172 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepea.exepid process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe 3076 pea.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
msedge.exeexplorer.exeexplorer.exepid process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe 4172 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exe7z2406.exeOpenWith.exepid process 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 1676 OpenWith.exe 5344 7z2406.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe 1476 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4956 wrote to memory of 4256 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 4256 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3692 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3536 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 3536 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe PID 4956 wrote to memory of 2296 4956 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justd.my1.ru/load/chity/khaki/bat_vredilko_generator/4-1-0-21⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd66e246f8,0x7ffd66e24708,0x7ffd66e247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\7z2406.exe"C:\Users\Admin\Downloads\7z2406.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe"C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe"C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe" CHECK HEX CRC32 CRC64 MD5 RIPEMD160 SHA1 BLAKE2S SHA256 SHA3_256 ON "C:\Users\Admin\Downloads\2_BvG.rar"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\7-Zip\7zFM.exe"C:\Program Files (x86)\7-Zip\7zFM.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe"C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\7zO8111D61B\BvG.exe"C:\Users\Admin\AppData\Local\Temp\7zO8111D61B\BvG.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CDD1.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DC86.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E4F3.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E792.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAEE.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ED30.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFB1.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\000.exe"C:\Users\Admin\Desktop\000.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F723.tmp\btec.bat""2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\vred.exe"C:\Users\Admin\Desktop\vred.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7CE.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\vred.exe"C:\Users\Admin\Desktop\vred.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB08.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\vred.exe"C:\Users\Admin\Desktop\vred.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EC60.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\vred.exe"C:\Users\Admin\Desktop\vred.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EE93.tmp\btec.bat""2⤵
-
C:\Users\Admin\Desktop\vred.exe"C:\Users\Admin\Desktop\vred.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F096.tmp\btec.bat""2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\dfg.bat"1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfg.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfg.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\dfg.bat"1⤵
- Drops file in Windows directory
-
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" /v Win32 /t REG_SZ /d C:WindowsWin32.bat /f2⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f2⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\explorer.exeexplorer2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\7-Zip\7z.dllFilesize
1.2MB
MD529a34c57610eea82931e8e9b6ce2c8e7
SHA1321040f01c5bd84e5e4fe3abbec972445b45e242
SHA256e231abd80c42bcb64a10afe17d0b9814a7b6cfe014259a7f8182f2fcdcd980e1
SHA5123018a6dc001696c59330dca6ef994b0c3c5fabbe63bbe5670ca344beca632c328ee227c2db7a9d1e5ff84c56d3f2a5716ebad8113a2648d2c5480a75e83d5ca8
-
C:\Program Files (x86)\7-Zip\7zFM.exeFilesize
595KB
MD5a4ea6bd8cd1266862e58572105f1615c
SHA1d24df6d8734d2dff878b79226a46788422dfed03
SHA25656332f59912d67d7b73765928aa02009a0be88b8db89287ad26c883265360544
SHA51240ba9c4aeb74d11b555a82779f0130c576a7983ab7e402e25ee2feda1c4995751b13627adb07a9fe4bcf61cbf0fddf065702ace8743915efb3fe64d2ec8b9d53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
207KB
MD58f5efe5cb743df3516869e6a10bb310b
SHA17c676565f684b409f99cf1331ccf8a31026aa705
SHA25637082199edbaa1746690251de3779cb1261e9966102743e9721e5a9bef99b467
SHA512902d9e12178f948bc389e1f3f86f64dbbe604d583498957be2816c942eadec87c35ee5bc0ab8d8fbfe681357f622e2a8fc0892e9c6ab324b19f3a416b4e36953
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
63KB
MD55d0e354e98734f75eee79829eb7b9039
SHA186ffc126d8b7473568a4bb04d49021959a892b3a
SHA2561cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e
SHA5124475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
69KB
MD512e9d433aa286aa9a60f779569cea593
SHA103a19dddc16fd6ddd3f6d447dc4735e02fa5a04a
SHA2562a023b05903647e42c3d506a3b54712c9f17738acb72bd824423dba4d28bee23
SHA5127932dcc399307524954ad278963b316b755d054782ee7fa35cbcfd07a05e9766e99ec9e90d2127e68766afe3d8c571f10813927e1be8d7831936237b1282d858
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011Filesize
42KB
MD580563705367e4b4082b4b80f8571a4cd
SHA172d730da1499b25b66bef22e3b823d9813082f1a
SHA2563d258442f00d724408e414f42c74a8c512228ea9e33958e6a173686f117c2d4f
SHA51276b2692b08e5a5ba4f044db528089b2e13478164f92cb7f1c500c2f2169a2671d791adfde8446c7f1b41017724e05d520a3f0d04c764d800af060885b32c48a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012Filesize
19KB
MD5635efe262aec3acfb8be08b7baf97a3d
SHA1232b8fe0965aea5c65605b78c3ba286cefb2f43f
SHA2568a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06
SHA512d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013Filesize
64KB
MD52923c306256864061a11e426841fc44a
SHA1d9bb657845d502acd69a15a66f9e667ce9b68351
SHA2565bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa
SHA512f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014Filesize
88KB
MD577e89b1c954303a8aa65ae10e18c1b51
SHA1e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73
SHA256069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953
SHA5125780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016Filesize
1.2MB
MD5eb63aad3cfbfc8e4570b89c9f2f651c7
SHA1c4ae7ad4c021508f7721b16e82efd60826b1e96a
SHA256dd2ae4d6b1cbf32b75433ea22afa1022f8aba05f521447bfd9b186694a022467
SHA512df0ee255da8abac46386a70ae562d30d7e898bf7070e9082ded20546cac552ef951b77b5fb8b12f907828c65409f6450258791eaa1e0739c89810cfc3ad07db4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD579a47a11206c64a8ad2954bae125c14e
SHA1241d5c9c4e43eebcf241ccba0896d7891442c40e
SHA25629c6b91f11c88c7c22fa582a69be93a36e441ce999d5463dd70221d91b78146b
SHA512e0224a6d26f7061086ee198f5f1466f89f90d7846f6e257a244ec6e78dc6aa6fadd696e89b4235a33055fb544c2ffe40fa45913826071969ca332e3b039a0dd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD567448b4aaa20525f25fff6b702e324f5
SHA114b6c1e2d008834fae03f681f60721b5b9f44d45
SHA256ff67ab08b2e0211483edb47feb70fcc0de006f5911c0b0cc93969a324320847e
SHA512209d74ba68c6d8d73eb59f0fdd92818db9401f2a48d4a910cdd620545ce72f6736ec83d40343adacb1a21776a456908609955a5ad6196f9066585eed03fc3842
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5fad2ad0316b8145c7c1b1cb15ad6702c
SHA1afba780cb74fb2567ab52d29aa4abe9e4c39e60e
SHA256533c5046cdc1c12902c8b7deb79698b49c126b727dc6801a5d02991a61466714
SHA5126dd0cf88d34485de520885661f56d851dbaef7a15417c6612fdd728090a687fbbef86239866e9841e7d74dfcdd93ab90c7f7ab9c01336f2dfb8f8a17bb7d6158
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD51f574bcc35704ff2bf10071870c886f5
SHA1fb3e30d3df7d59523166f652e583ccd6c7edfa71
SHA256df0236a828e565a0f45f5e7f105ab9a6306b30e1e1afa0d258ad7211eea0c9ed
SHA512174e4d9064b5a90cef6b25ccc6544e08f5fc492eeadd7fb9add89eac6456a08fe9e6da8dcc37f99644daa7a6d43a5ccebf76b618f8666fbf9fee357551cd82a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD536f848395512c0ba0c7bd1f55b4e7d7b
SHA1a1e929b6c9772b885cf71d9b36aff906b085ce5d
SHA2564b06dcf72d1ec03e642a5c9f268c11340710bb383e1cbedfda194eb0cbf50cd6
SHA51210c075e28cb8b27e2b0057434e4ed847c541b435b3a9fcb968b6631c8e2b6ba30f655fcabd70defbd31dc545da34cc66d3cfc1ef896da48c67aab71ec78949b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a57da25443a9fe5b8eef2c85d84157d5
SHA17a13cd525c540b736a6c6608e1a62c8c0cbb80ad
SHA25601798580ba6f13c05ff732fbc19ef96e77b374e8c99c29955408f24329a7b6c0
SHA51201ec095283a64c07788efd3ac3c48cdcac74aa8b82a2c339e7215c568563d236a9f15fc2b781bef785c1360704c2e5d6dc74af62cddac3bc8339389a93893b7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD589c36ae07d25320e137fd5dcdf80d609
SHA1529f1b406421a47782889e169053af268e864dc1
SHA256cbe2f8cdf94cc96701af0c0e918a49e37828b6fa49c3c72ad54e563604c15623
SHA512234dbcd7c144c1f8ffdd05135c1f76f04265eb58c3b0e0e62ee34bffcacb0dd5fc27c36492cefa7083a9874a94972bcaa301972915c813ae53219937adb0a469
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5082f997703ab3b4fde51aa55c67811d8
SHA1ccc6a5d904bb0061755e8f4a2429ed198195cf15
SHA256d6691ac5384c099ad6bab513cf6a47896a8ef16c1c5017ceaf0834d896931468
SHA5128cda22ea3d81e38642336f867f412915a33184ff25c8ce318a02596ced9553a9826c25e83163b7f4fb565a6c32b94773531ea5ee75cc48f73797be4940e08dbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD50ee44a6c8fea7c7f7b039d022ed6f0ae
SHA1114d41d940e5c96194fcaa3412c43ddc38acde91
SHA2567d01d2bb6279b35241f048f302837e1d959c087d9bd25ff1b41070013d868859
SHA512ddf906bf955fb4fbf8571c4c0898e4a851792bebb359f34edbd7b65774868ae310ae87b28c5e9d15e8b0e563259d03cebfc4aa0091e4ab71d13ee41046cd83a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD51950c36a80cfd623ec112ef19a3de296
SHA160d9cb96b8477cded7ffb3964919ea21e05cd840
SHA25634f44f98485ed5a802a87e59f8d37928743d379901d1d37ec65e3a111d16123f
SHA5121834bfc799ed1506bdb59d8777cfa25dc16502e9f16420e128a6e997bda626a72391ebd863c85b14ec68a24a27fb80348de594c725bf63ac614a278ede3acdf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5bc4f4e2d6d828ebb97577875cde9dabd
SHA11f4a999b78c6c733f26c74d13af925346ab45a11
SHA2562e2bfca0be114602b2cb286fe956d853272ca0660ea894f640bbc49d05be2d9e
SHA512b1cb6944d93f45f3eb19b10e16b99274097892709a94fe53b426f98665998e6306980754484a218cfde768d57b75946accb102336d317b9786933288c3634d08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD550e202f072cc81dfcc076a44bcfda6b3
SHA1e0c4732a8fd57e35c994b21d745032dadba5b336
SHA256b6baf0cb095d7042949ea6c865f1f4918401431eae83370ef71206255b3800e2
SHA512337b27c8b3d2f16539e2d002a88dc6bff4e7d5a2c468f6b7af6e4fd0da98a6dc508e2af73b12d593281afa97f6d39d30617143aa6294d5b2fe1a66e152286437
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD52573ef24fb755bdf22c4c1dd4b612ceb
SHA15fac48224997e025305438c530484909c27e0f3b
SHA2565c9e7e7b0a9dc24bf54f0971aff89442ec26d12426017e9fab1d1ece69a1993d
SHA5120017a259b81f8fb8f00291d1df892eaf120501a65a58f219833a96fdf00a4301112cf4fd593ade9c64f72033d93d8dd491c116f62d4690b69cf5750cc4d70c9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50d3088e6e187c6942771d46f661863fc
SHA1abd10ef6b9a2827a3d8589d87acc72ad947481c7
SHA256924abe737892a3ed762d9dd0465e21df9fce4caeb5b1cd9988e9fc5ebde95f48
SHA512a07d196581ad1631707f91f823d45ec58eacafc307222872d202167760d3ac6291e2c2b0887e2d3eb0b890206deb3e07c218c0ce60601e30884753664b019b5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD59ccc488780e4af3fe81e2804e7e4e546
SHA1ea24c8dcc28d5df56b50d56a267842d7bed8f524
SHA2561dd5ba3245d2931f4e4cae322cda1dcdfb43d2dbf03dc75ed1a803c99b57cad4
SHA512a5135ac004219085ec3a9f777db236cf4e7a48d1bb7656e78b4c6c26470c76d7accf583c420f43959c7ced4776707cf3cc1afb4f22c71f27e3b8b9437c68f607
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
96B
MD5360cb373fec6cfb59d279a6286ec7d98
SHA1119a9e5b04cfd9acab0298ad30671aecbdcb10da
SHA2568bffdf99f1dd1bdd3103b06900535f28c44cfb41bbfc3e850ec4a8b20d83d687
SHA5124365e9c7b1632eea439235e2838d386767ceac9e2f7cc62dcf3c6c7069e521c67cc0a81101dc3503c641e57b4844a66c6c683aaa1b7f4c33f7d7b27842606b1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579088.TMPFilesize
48B
MD52f5c12f5a9c23aad6c7c004da0b2320d
SHA1d6ec2a87286ba45c204d41ccff663b7a3e0778f4
SHA256dbc4a78c7e258d50b96c7e3c3320ad8ce5433b9b44592856751c8ec6db0ff222
SHA512cc4c3691989c802edb73705876bbb7a9899ecc1c662fbe2686dae692097258da09dd93683ff0aae5ffb50941ace2f90c065997e347f9b4a6a05da35455ad48d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55ed094bb471741471446bde3e0ab5997
SHA1cec2d261fc7524bc1a077f5c6cf8def72bca1e3c
SHA256eaf0612e53b91868d1449b0f16bb64239da87155d45378750b2b7fb752049f53
SHA51291dcc02b0462367e14b0e1466764d9e9c7a27459b17bb8fc5989dba3c676d4c4f81682c2a6b88d8b37f512a4d98fc57c113f25e0a4f237765d96c7b985a220a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD522a31eb2e0c0ffc3a699734fcef814c9
SHA1bdf389eb11aee4bdbb59f591e44077f531ddb31e
SHA256ad24b4346c5975701b8c354139c81f6ebcefa37f5c1f4807d4af25faa664a351
SHA5126c38cfdec981462664291f628e16dcd31e01889862e38c50e9daea0607fa9f0f8f5683d59ae4927538ce9f4a98ed234e9339eecf676f1b10294b3636d125f884
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c82122d8198c6b40a2913fa65088737c
SHA13832af83f3b2aa9e9e1eb8af235b6c79fbc29851
SHA2569a6c1c3331d0b780b8727dae0bec7229dff993cef47b70967d6757000e19a057
SHA512058d8694c41f02d43aa86af622582f780272bcc91ba50cd296cf656a2ff7f3bc0b1f74d11887883aaff8858a26230e732f9cb242c038a89da82f49f443b6ccb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f38ea6421a144b77503ce98707c49b03
SHA1740f7456f5de639e9e40f31c43bf44f17113ce57
SHA256c25fa33ddaf7f0c6ffd9e37d438aa1e6b55bb32e61f7ede31912f20604a89443
SHA5129e28482a06fd7ec1a069e26d00812aa909be15a025910e9ac0efdddcf38f9d8634a34c63aad3b62a454043e80c961e5b08a4c1f5df8bf7212eb5328c45e25233
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bce7.TMPFilesize
540B
MD5eae2dd6fa28f65932be5fdd501d08ef6
SHA1649bfbcf44f63fb72f1467eaa92128ca4a39affe
SHA256a317e94a8c9b75b4c2f29185285134bc18d3e79f9d3cd1dad2ee2f3276ffe939
SHA51281d3c81de8a07b5d0f67bbe970203dd5eeb5dfb39b8757b4d3aa1bdcc0fdb64531b6715bb353544593d099332a1bcd78a05971954270e7e93dc7a0b98dc1a0bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ba9628e5785fe9eb85a34c9b0db632b2
SHA11e566c3b76aed5ee6d25d73772a99583fa8a31f0
SHA2566f029a61019037b2330055bccb65cd055b66e3ae271eadaee698a629ca3980c7
SHA5127604655c9d155879ac4a3c5a23cc2cee965bd967a987409edbd041980e083969987cc6566f5a288dbf74934af9eed9b34ae9d6517d59244dcaacf85d146aeeda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b254b1721100ac1ef1bb4562e7dac864
SHA191f6930e997586aecd32428ebdb4aeb48b559e98
SHA2564bd32b3ce0fbe09d53502788b798b616cc1ce1d4cccf7b7d2ba35037070c675f
SHA5120d78edd7a0ed6f9b60a3ae82cb0e845a420dc6342c3d28e500835b9b525551319b517bc19a6c7339d54429624da09312e189d4ad1c2731a003bfbc4b0d4cd8d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d70399a5513f69edcc7aff16f40c13cc
SHA1c37812a16b3ac7facfdf9e3c59625ae835ff2370
SHA256ebad3c8772711d4c38a2e5f1cdabbe359dcd517f34aa028bf59d6cad5eb5cbf9
SHA5125dbbd0411c989e6321a245925ccd8f36071db588bfe5ef8340cf4f8674e2e752797cbe629437e24c05e249248017a6239e3d981b9036c12e5fc9890841fa8610
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD515a078abff03b07d885515d354a50775
SHA1ba4f47f65b8464c2e77dcf962cc779730502f7af
SHA2562f84f5cf21e462f688e06a55aeb889ee2cb1cae0b778836883064ebf6846b2b1
SHA5127dacbeb8c267b7bc3d2779730f8b60a5554c2bb0f208ee2545785367482100f9f39a50576b2753e72a0d87058d2b2e595f093e70d52707b52cfdd49832aa69b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59eb9bbc6e180879756ac25c6c4fc40ce
SHA182bcfbd08f2f8700070d5bbd617952c0de3304f9
SHA2565d437942dfdd7581de65d9710cbcb1e3ba39a5eed00d9f79b54c6bc18894b649
SHA512826bfa5a9e0d85f8c54f0449773fb8b618913a31956bf71088463ebe2b0a60a4e7de9af52e59e879a39093fcc05600338ac119e24112f1524ba72728b4d69144
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b12e1d665e42a6d1306d35fa2d27b068
SHA1267c0cfeef7cd120733f44c6a754b33468cd531a
SHA256dff012abb9ae4177f1fd0fceb09b727b40b277651a00b31b2b088196345852df
SHA512df4e195df036bc713209167efbf4a0a5e1f896465342ae487c5b62eebdd6f2bef452cb0787a5e1b1d481274586ccbbfca7df2320f0bc27a74c07324bc10365b3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZD788ZAR\microsoft.windows[1].xmlFilesize
96B
MD5fb128dd23be90403a359178e993c9d0f
SHA126fd6915e3556d4cd004f62d06fbca7926807544
SHA2568da3b3625b4cd2b5eb982bb67a9478c68e411b45c46fb8548a62855069fc1c34
SHA5127fe9d62e3ce2cc4818e8b16323bf94e1d31b2a492fe5afbc16ac4cb806fcf8449d63e5f5d40fae431fa91d28cf532ccbc74bc5af2fa18b6ee5ebf8c6399febdd
-
C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exeFilesize
1.4MB
MD59a93ad48c4d58c0c43a032f85b0b112d
SHA1fbf8cae8642082c39a414da604cc9e9bb88f315c
SHA256938e503ffe8a9614a60068fa1c966d6ea7f9b75d28c6b6ccefc7f47503f82e42
SHA51238207b60140880e68222fe9cc628c9b776c4d59accebe78f4051a0bebc03f5a1411497664faeed3865af04d63acef1c96752a7c30dc156e968f37ff4c708812f
-
C:\Users\Admin\AppData\Local\Temp\CDD1.tmp\btec.batFilesize
9B
MD5b0001c00a961b45a4d467ff7b0db34f9
SHA193bb6b09c9007ac568b39a77f4aa10d5dfc59fb9
SHA256abb30b0a70e39de39ce0790c6c157fd04bcfb998705ec1672fe8070ff2d34573
SHA5123930bbe5b8936800736cb965e98f54eaf1e18218e865441f2ceff9002b23210c35867acef6a97f7491765701cede7ef82182410931cecd83fa5d7b121918c500
-
C:\Users\Admin\Desktop\000.exeFilesize
45KB
MD55136890a4227180370a27597403b94ba
SHA1d3dfec71fcb480b2531d9e7440e85e58ca325e5a
SHA2567df185a50a3eac1d4f3d7e6dd45dad3752a13f190503b0a03b9a5e8ebea247b0
SHA512b3c53e5a66f6e450d91fca2c01c421f12f11b739cd4500ecc27e2788a0a24d2a533776230caeb00d15a24c5994f667e7e96b2b9bb6324d97bae556fdc366753f
-
C:\Users\Admin\Downloads\2_BvG.rarFilesize
1.3MB
MD5630d1d0d0dc3e83894066c0b054ad8e3
SHA11c1c6a7bf0b2417f8cb4cf557cab379e53179dd6
SHA256733ed3d64021c1de9d376e9f1d95d05ba9626ee04bbe89e42f021825ce7b8a7c
SHA51294861f8cc2493befbce247fa2750f1811316b521efa80d4d7af7a6745ab4bc2a1f27718f7c0faed213c9824935790b68efae208ea6e87dde5b85209efb7fb281
-
C:\Users\Admin\Downloads\Unconfirmed 195178.crdownloadFilesize
1.3MB
MD58515170956d36ef9da3082a7c22e8213
SHA166c835bdf217d1ceb2d73f7b8b27d7ccca212b38
SHA2561ea62e6b152e4b7dbadf45289e04bf4ea7431c7928a9b3c6ba5e4c06fe368085
SHA512d462bed332c2e60d3815d6542013d56c58ffbf063aafe4f255dbe83b6e48e2b2f29b0063febd6c04a7e6721e149c727a3c2e8e0704807e2ce4c5bf98e5dbd423
-
C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS.zipFilesize
12.4MB
MD541fb45d3b775e2e6bd3ef3a039004609
SHA158e2d2f63d23f2c3ccbaee3c78ae305dbb9e32e0
SHA25673ac51b9e0be88498cbb3e7bf1fb5e237413ffa87f09c2cdd6a899bf84d1d0ed
SHA5127ca293fd0658b88b9c838b782a5d15d2307d2a88f11c33dafa30bc89517df9653b05577232a2df15382cab53ff6a5360c92d0200a2a3ce47eaa2a7bdb5d024c7
-
\??\pipe\LOCAL\crashpad_4956_SUGPIHKBVBTEYMWKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1560-1176-0x000001B5015F0000-0x000001B501610000-memory.dmpFilesize
128KB
-
memory/1560-1151-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmpFilesize
1024KB
-
memory/1560-1292-0x000001ACFE400000-0x000001ACFFD2F000-memory.dmpFilesize
25.2MB
-
memory/1560-1164-0x000001B500FE0000-0x000001B501000000-memory.dmpFilesize
128KB
-
memory/1560-1150-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmpFilesize
1024KB
-
memory/1560-1149-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmpFilesize
1024KB
-
memory/1560-1154-0x000001B501220000-0x000001B501240000-memory.dmpFilesize
128KB
-
memory/1708-1438-0x00000000034A0000-0x00000000034A1000-memory.dmpFilesize
4KB
-
memory/3332-1293-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1097-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1117-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1119-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1133-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1134-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1137-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1139-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1144-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/3332-1116-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/4172-1147-0x0000000003E40000-0x0000000003E41000-memory.dmpFilesize
4KB
-
memory/5044-1297-0x0000021230070000-0x0000021230170000-memory.dmpFilesize
1024KB
-
memory/5044-1302-0x00000212311D0000-0x00000212311F0000-memory.dmpFilesize
128KB
-
memory/5044-1436-0x0000020A2E600000-0x0000020A2FF2F000-memory.dmpFilesize
25.2MB
-
memory/5044-1306-0x0000021231190000-0x00000212311B0000-memory.dmpFilesize
128KB
-
memory/5044-1307-0x00000212317A0000-0x00000212317C0000-memory.dmpFilesize
128KB
-
memory/5200-999-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-998-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1001-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1000-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1067-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1087-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1077-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-1014-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5200-988-0x0000000000400000-0x0000000000758000-memory.dmpFilesize
3.3MB
-
memory/5716-1295-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB