Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/08/2024, 19:45
240821-ygpwbaxbkc 6Analysis
-
max time kernel
964s -
max time network
968s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 19:45
Static task
static1
Behavioral task
behavioral1
Sample
njRAT0.7dFixedStealer (1).msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
njRAT0.7dFixedStealer (1).msi
Resource
win10v2004-20240802-en
General
-
Target
njRAT0.7dFixedStealer (1).msi
-
Size
3.2MB
-
MD5
5d74155c3195e27633e1609d45b1ce07
-
SHA1
e1ea143d17a1700867bf1baea72a442109f27504
-
SHA256
5f1b04e4a9cf5e1e3f3e11a4ff712702a102c93be276dd5da9c6927c4808575a
-
SHA512
1d75aa24a3c9e161c36422aa543bbb60491ef5a8f497aee2fb29cb692170b6745b054dcd2ee8f881c68d182db033c04842fe2f1484385870488738d108145c36
-
SSDEEP
49152:+qf/c/f9r84jEHYDgE5e7vxP5Ferq7I5RJK5k1jcB6jWH5XzatCJkH105fASGdvi:tVHYDgpNxFecIC2H16l
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 3140 msiexec.exe 7 3140 msiexec.exe 9 3140 msiexec.exe 11 3140 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MSIB58E.tmp -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\CreatePolicyRegistries.exe msiexec.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CreatePolicyRegistries.exe.log CreatePolicyRegistries.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIB318.tmp msiexec.exe File created C:\Windows\Installer\e57b058.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB58E.tmp msiexec.exe File created C:\Windows\Installer\e57b054.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB289.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB386.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{19ABA0FB-6A2F-4C9F-A346-6842A74264F4} msiexec.exe File opened for modification C:\Windows\Installer\MSIB0C2.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB4D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB463.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57b054.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB1DC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIB442.tmp msiexec.exe -
Executes dropped EXE 5 IoCs
pid Process 2836 CreatePolicyRegistries.exe 2408 MSIB58E.tmp 1824 CreatePolicyRegistries.exe 3232 CreatePolicyRegistries.exe 2228 CreatePolicyRegistries.exe -
Loads dropped DLL 8 IoCs
pid Process 1508 MsiExec.exe 1508 MsiExec.exe 1508 MsiExec.exe 1508 MsiExec.exe 1508 MsiExec.exe 1508 MsiExec.exe 1508 MsiExec.exe 2312 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreatePolicyRegistries.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIB58E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreatePolicyRegistries.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreatePolicyRegistries.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreatePolicyRegistries.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 7 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections CreatePolicyRegistries.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections CreatePolicyRegistries.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections CreatePolicyRegistries.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections CreatePolicyRegistries.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF0ABA91F2A6F9C43A6486247A24464F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Version = "100794368" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\PackageName = "njRAT0.7dFixedStealer (1).msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF0ABA91F2A6F9C43A6486247A24464F\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\ProductName = "Task" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\PackageCode = "C0955259D5BD8A047B64ACC4855CCCCB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AED2CE1BD7CECD448AE07DA0C7D1626 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AED2CE1BD7CECD448AE07DA0C7D1626\BF0ABA91F2A6F9C43A6486247A24464F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Clients = 3a0000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3716 msiexec.exe 3716 msiexec.exe 2304 msedge.exe 2304 msedge.exe 1600 msedge.exe 1600 msedge.exe 3748 identity_helper.exe 3748 identity_helper.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3140 msiexec.exe Token: SeIncreaseQuotaPrivilege 3140 msiexec.exe Token: SeSecurityPrivilege 3716 msiexec.exe Token: SeCreateTokenPrivilege 3140 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3140 msiexec.exe Token: SeLockMemoryPrivilege 3140 msiexec.exe Token: SeIncreaseQuotaPrivilege 3140 msiexec.exe Token: SeMachineAccountPrivilege 3140 msiexec.exe Token: SeTcbPrivilege 3140 msiexec.exe Token: SeSecurityPrivilege 3140 msiexec.exe Token: SeTakeOwnershipPrivilege 3140 msiexec.exe Token: SeLoadDriverPrivilege 3140 msiexec.exe Token: SeSystemProfilePrivilege 3140 msiexec.exe Token: SeSystemtimePrivilege 3140 msiexec.exe Token: SeProfSingleProcessPrivilege 3140 msiexec.exe Token: SeIncBasePriorityPrivilege 3140 msiexec.exe Token: SeCreatePagefilePrivilege 3140 msiexec.exe Token: SeCreatePermanentPrivilege 3140 msiexec.exe Token: SeBackupPrivilege 3140 msiexec.exe Token: SeRestorePrivilege 3140 msiexec.exe Token: SeShutdownPrivilege 3140 msiexec.exe Token: SeDebugPrivilege 3140 msiexec.exe Token: SeAuditPrivilege 3140 msiexec.exe Token: SeSystemEnvironmentPrivilege 3140 msiexec.exe Token: SeChangeNotifyPrivilege 3140 msiexec.exe Token: SeRemoteShutdownPrivilege 3140 msiexec.exe Token: SeUndockPrivilege 3140 msiexec.exe Token: SeSyncAgentPrivilege 3140 msiexec.exe Token: SeEnableDelegationPrivilege 3140 msiexec.exe Token: SeManageVolumePrivilege 3140 msiexec.exe Token: SeImpersonatePrivilege 3140 msiexec.exe Token: SeCreateGlobalPrivilege 3140 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3140 msiexec.exe 3140 msiexec.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3716 wrote to memory of 1508 3716 msiexec.exe 89 PID 3716 wrote to memory of 1508 3716 msiexec.exe 89 PID 3716 wrote to memory of 1508 3716 msiexec.exe 89 PID 3716 wrote to memory of 2312 3716 msiexec.exe 90 PID 3716 wrote to memory of 2312 3716 msiexec.exe 90 PID 3716 wrote to memory of 2312 3716 msiexec.exe 90 PID 3716 wrote to memory of 2408 3716 msiexec.exe 94 PID 3716 wrote to memory of 2408 3716 msiexec.exe 94 PID 3716 wrote to memory of 2408 3716 msiexec.exe 94 PID 2408 wrote to memory of 1600 2408 MSIB58E.tmp 96 PID 2408 wrote to memory of 1600 2408 MSIB58E.tmp 96 PID 1600 wrote to memory of 1504 1600 msedge.exe 97 PID 1600 wrote to memory of 1504 1600 msedge.exe 97 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 952 1600 msedge.exe 99 PID 1600 wrote to memory of 2304 1600 msedge.exe 100 PID 1600 wrote to memory of 2304 1600 msedge.exe 100 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101 PID 1600 wrote to memory of 4540 1600 msedge.exe 101
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\njRAT0.7dFixedStealer (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3140
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 30D762B95C0F2B24BB2870D5BDF999A82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1199B24A50021DD8FDE49EF0E1088BB2 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\Installer\MSIB58E.tmp"C:\Windows\Installer\MSIB58E.tmp" https://seekspot.io/tyy2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://seekspot.io/tyy3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7fff418646f8,0x7fff41864708,0x7fff418647184⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:84⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:14⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:84⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:14⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:14⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:14⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:14⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:14⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:14⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:14⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5604 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:14⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:14⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:14⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:14⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:14⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:14⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:14⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6180 /prefetch:84⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:14⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:14⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:14⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:14⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:14⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:14⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:14⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:14⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:14⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:14⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:14⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1916994212122638846,12130550265083698648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:14⤵PID:684
-
-
-
-
C:\Windows\SysWOW64\CreatePolicyRegistries.exeC:\Windows\SysWOW64\CreatePolicyRegistries.exe1⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2836
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:932
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3120
-
C:\Windows\SysWOW64\CreatePolicyRegistries.exeC:\Windows\SysWOW64\CreatePolicyRegistries.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1824
-
C:\Windows\SysWOW64\CreatePolicyRegistries.exeC:\Windows\SysWOW64\CreatePolicyRegistries.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3232
-
C:\Windows\SysWOW64\CreatePolicyRegistries.exeC:\Windows\SysWOW64\CreatePolicyRegistries.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5556c824c2bf2c901a447a5f7797fb3f3
SHA1c660e24afce97da9aaadb3e4253dfb895034e990
SHA256f0ffab37c839377f0b73ae9543afec5cbcfedf67bfbfa967a938765e55714f3b
SHA5125b1d9b0f3a074240d634dfcfdfe21376763a7848ee976097ef1724578e4594b446836d2b41a7405b99e3f97a7ccb10c9ced0b85f4d050584e586425f611428ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_8E0C0D0E410547CB370CB3621BF77118
Filesize727B
MD5cc382282d473a2bbf5b14c8859fbb6f0
SHA1b0f3353d22836a294dd8870f085e1e3727dc0019
SHA25646b4f2f006f967152f5008eda5d080cc28728103bb2b774004cc3ba7e1df6432
SHA5123f917675b31ea7383775c9a6deed3756e4c16d50e43949cd9160e3e9b6a986fc15bd53b78654755e40d0ede673eb8b006c50f7dcdab337bf2d72d82e9155b3d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize727B
MD57a3b8457313a521e0d44f91765a4e041
SHA14ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267
SHA2562b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c
SHA5127349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_8E0C0D0E410547CB370CB3621BF77118
Filesize482B
MD5c6e47890dacbf0fefb16fcf679049582
SHA18db452721d6eb1e676cd60048581141a8ba7c211
SHA25646babd3073db5433c5ab658ba964c5c92bf721f76c7aeeaa40cd104f6dba6e23
SHA5128c991d568ef6c8e148062b664617cf2157967ec6dc5e03be29eb465d9c32f7aec1b2077b8b6c899a7ab34cfac471506273e400db652263d8e6c8f1f9e88ab9be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize478B
MD5f3cf36fdefe8c5ad202722594031d88f
SHA195309bb60cd72f78ab58f32b03c2d8511262e969
SHA256fe07e3389fe91dff0d3d6a260f70142f35dcaadecb97f61c286ff9f42d3f2681
SHA5129b1995062c5aaf7cc548cdc2e5b63f6755c10af49a805b0510475ae44b4d274bec7bb1cdacf05d875fd8e98c0372aa73e20ee19360ebdcdb418fae8acc375e1f
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
72KB
MD508a7eb40b82572e13873fa1d70e8b101
SHA1e26b02b9621c4e684378d06ae041f7c941634ec8
SHA2565cff81eb2b5d853688e90aaac32fb6c765c538a4e72f032bcdbfb8d53a2edd36
SHA5122828160bcb13d1ae472bfd066dfe8fdc5e643d918561b9fc45bedc96c6521b5a9b4202bf9865a5b83d71fbc60d8271671212f59e276943d01c57c7dfe08dc36b
-
Filesize
50KB
MD50789c37c8b924c85a311dafedd0e9ad8
SHA149dce4779058aa0ed4bc56d5e803b43134643aaa
SHA25661b1d5944e376537eae7f3e96790fb3b48f6f056dda50f2fcb36146ed15b7df8
SHA51274b02efef71b60a9a98916dece1fe2887933d4f1404c15c3ef7ab8a9b23d0d16b16743d765bce85b7d0edf22d3cb1f88745aa209beda10477eaa545a704d4527
-
Filesize
95KB
MD5dc51b256d2198a0148c0396ebcae55cf
SHA14ee9171d752ed44d0f7290e1d026ff05d72d2913
SHA256d1010684ded60881b40f4a79e16e6b9209e6d1f79525673d24c3db3370bb0966
SHA512268c0bf59db4d0f180f743a03800ec55db2e56174dfddd3f94d45e408d1625963658029689e3d5976f88737894a49007a14481d597464eb4fa611506a57155f2
-
Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
Filesize
141KB
MD5c5065518c6a5d365ff05c6f4d5eba647
SHA1e6b5f8ab6bf5453d164b1ae589b88e4d78d75e28
SHA256a8a2227fdee378645e731d0717a24b4087c31056f1506e143eb054085eb6f126
SHA5126e29e36512d3c78054d1b8976756b26ea18cde07a601ff957d48f26993637c066bd95919b07406ad2c0af055eb08ee19da2075bbdfbfeddda10a00a4450eb8ee
-
Filesize
20KB
MD5dd62255c6e72b80ce88a440481d3d22f
SHA117758b8673c033ecf7c194e5d1190bbf9516c825
SHA25616921001068e64b8ac9935d54eaa1dca108647370c5987443732ecd4f0f56249
SHA51219cb0414fa378f59229d6296a4165e3a073fb6c6b812969c7015d3f73e7738c70893346740396986c6148ca1fcd5e7a8021aed775c808eb67ee9d1b301f0ee76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD54ce7dd2f7af32e0ffec7d150507bf926
SHA146a810151628a999f6a1738ff0d604e825cfe7cd
SHA2569cfbbdae0f45c4bea9c9823086a196c948367bc55d0effef0150adc5d548c985
SHA5124b7c3b6b8e4bf4c872b89793d3e33871c1d7667dabfcf9912cdb8ced5238c433a325ce9359b02b31ddcbf014f7c67e7f155ead971f6faf09be70fa4a1a83e68b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5afb1b516ac81e46ab000f6a7545dd6e4
SHA1a2b1f8558338ed9c832761c438df29529f1e0334
SHA2565fe3393c1b5974a87b2fbe60e080d63853aac08bb91f7b9925f2406a573d5394
SHA512576916ebcce072a47e169805c10c688436fb99a74da2ea3f0f95e9f6d9215e7742081b18cd99cb9aef32bd9a9fb92bb0a2a0c347a158d7287543cec4654e9e21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD52266244df8e763b1de283761372ac672
SHA11d7bbf95b72a167bca6bcd3a6c72429dc5f745ee
SHA2563f5a0dc39718dc23f67ceacb6b35836195bf5300dc0ca2285c3ad94a2f3e22cc
SHA512720a47018670af8c50211f08b2db50bd476bf73988936aebc6bcdbe48194176332c86b9baecb94fb2a4c1ea6e5b1d5bfc615b0bc7ddbf8e5ad827df1d2202472
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD5f90da53d5c45e6d06c5e7c4a77aac2b4
SHA176068c1ca368d7ea1327d5cf726bf651056295d5
SHA2563ebdb8f40ba88f2ebfc19545fd956297c6932c8eb00159ff3235f29378ccd853
SHA51291d47799a235c521a03b77a4dfdc5213db6f631c12fb469df9cf43847e6c2459a103429d9455d40cc6fee4dddd2fb789d15092254ef3105ec60c1123a08eb4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD5c96933f2d095f5bb101820179dd66eb9
SHA1b74db20774a85b4aaa2840e0658c424f3046a6a0
SHA256bdbe8aa56f02de604e2a4c90a78220c385e8f45236dc21890e88c1071ffbb0ba
SHA512d1291073bd87bd58d776ed3b0b085460aae1ee3573900c54ad77975d424c3389bd4bc69a6f7899165d61059f0e5c300b777ba0105911574932cde40f57cbe6d3
-
Filesize
3KB
MD5e6d67a95a595fb984c2a81e329a51c91
SHA108ac1ed0db50472ab75012a3b3b3d02200b548e2
SHA256acc0a77359f56a6f3220bad6222d521cc80fc4801657dabae69b2613dde89fb7
SHA512082e9e03a4c4fc3e4d1dbd4fa7945b547ccece4ea407a323ac690ae02dfb7214bb22b9f9d336e8e49af9cc47f6a9fc8c92a93177d72d06094470136dfb41dd41
-
Filesize
3KB
MD558f6dce71b2193af58809240402c06b3
SHA1bf1b75a04c87f24abf833c4cc8b72a08b7861042
SHA256924fed0d1a8790298db4d4b50df7cb946c26d1d575c08a9d0b9ec0a39ef94f4b
SHA5125461268475a9f71954087e29b27867141dce0af28de10f6696cc1031b5cec0322a93a2332c8557495ef0eddfe68b89bf57195703181abd4d659bdb9fb980c7bc
-
Filesize
3KB
MD59f5637ab3bec31d0ad85caa62e7d0fae
SHA1b27245fe072aad7370076e23852a587059fa3f96
SHA256f00c08760efbe4a89e58503b613912a24594ef01d4d1e7cd2522eb59a40537d9
SHA512c3d0597c92ae6389209b85d35c8358c1064722bc660bca34f37c4ca78ab91542ec1d03918ee515229160580d7ee7c0cf3c326c4c48af0caa7ef91e504121521b
-
Filesize
387B
MD531ef72e6a172ec4481a030dfa0e840fc
SHA1f2d54fe0c7a489260722de64e2c1e8c15333fa28
SHA256c67f038c764222b3a8ae65789fe0823c594f435531ea3b38e697ed2fc6565d13
SHA51260ba3b9deef9d81df2dc2c775450b6487d939838ef210c56ea5448938059419a7eb0259e911e467d388033e9658feb8dfc5e78cd72a869b3681d4f8f7dd840e7
-
Filesize
317B
MD50fe6a36704286fa053c8be4385d7e0cf
SHA14c88046cb53497b0cbba9b197a621dc5962d60ba
SHA256698039da2a84982448f1167efdd0c247c70995d28d6f542bbd49fe0c87ade213
SHA512958aa8edb88f11c89582215d42e03dfe73a2e7cc37684be9b8d0ce2cf06278fd749197a9144ba7a384fe365a00db4537c5016635d8adf538bdbe04bbc5e4cbfc
-
Filesize
5KB
MD5e2ae2a7b9310fcd7a7555595ed39a42d
SHA1ba087ce5d7d90ec7b82de0e55952a058b9ddf066
SHA25670d4e2ea72a677b25047fe23e681b5596f8e0d00e98fe78a28011ad24061fe6c
SHA51218203cec0b974e4cffdadfd793ea0f31713c38a6f4a6c30be2333be406a6d45b54bb8c153e81321290524cb7c19708cfff160c2c4bb7dbaf482faf6ccd4d7668
-
Filesize
8KB
MD57f77ef74452e1624468629ad9dfaef33
SHA1084cd1f19d75049983b64807df0ce2b7eb3e4722
SHA256d9319d24107faa9965292bb9043fbcb79855a892d67697cfa61f3d7181360804
SHA512dafed9a5969152cf67f1eb43c39008a20d28d4dab3d760dcd79cf1ec8fcc70da760edc2236931e700cb206fbede3af3bfaa24a9281e85be72330bf265f341708
-
Filesize
6KB
MD5790961aad90ab643d2f2d48601a9f67a
SHA1c88f78a1102948891537cd30e8411813b2234bed
SHA256a80e6775f171a54b87a244073292d71483f86b1d354272e13386cf99c92f00e9
SHA512db0c5f06ef5e69de77b35f3a7bcd81f67e4c5c0b72413a75bd21f2f4596bf10370f52683a3e3b8bc63c703a369ffdffe0b136a7ebc4c20f3667ace24cb073ef2
-
Filesize
8KB
MD5cc2572dfabf68ee64a2bcbe1fd14cf44
SHA1d28692c507019b7c4f806410d47c1983857fe476
SHA256adf42ee14d91f704326d825b924a0b4a667c86f3774ac156906d34a79cff087a
SHA512628095e72b99f092cb22a381e8256e9f68d0e917046fa8f24bffc0d5dc2b49b9ceba547464c0aeb2bc5256d7c0f2997fb625a6067cc58b60e98ea2909d16efb1
-
Filesize
7KB
MD57e84b6ce9ff5f6e8e017528fae8a71be
SHA19a9abb43076fc4ee44ddb0c245d3c114db80b337
SHA256fa900b2b0e939b4808ceda336e66f472ece201fcdb7e4198e328851e3f54f550
SHA51212497fe1417e9a247324985b661641d7cb7b35fc9a2c0ab121aa7536464bdde76305e0ca74e3a5d044cc359c54d957ec6768ab21233ffa0f9c078fe222fb6852
-
Filesize
8KB
MD5768c682231af1a6d03fe78d1044aeb52
SHA12a6750c1fd5cc0021d3342df12f61b3c91e2f8b5
SHA25639c98349b62e88cc7729ce4004a7ba06009a2ce24ce9ea8e0347b98b4acd7833
SHA51265994f2dddc206f3ffd918b78270fa0d759589af4259907f881f99918fbbe44f15bb2ad8ce8c4b7811ad7b28afd3033913d576d497f6b531735752fe63e1f504
-
Filesize
6KB
MD5adf133a70d9a0242bb0d1eb2effd78d1
SHA155b8a386b6332866ac72f6bff24db250af7cd3fc
SHA2560c0f0ba957aa0e0e2734bf631fe815bb3902265c7830646a1e63f8d4a16674b1
SHA512460b4124014d6e0643837204ffd115186db2e477ab1247113d446e250681b87975557fae02ffce3989b629142a1a2e19e0a22db5c4219a4037bc9e7069ca78a0
-
Filesize
1KB
MD5f7f1274e4e314efc8439305dd2943b3e
SHA17bb18c1b72f61711127854bf116f59d8039eed82
SHA2566a5fb041a5a89967239a23fa070ebfcabdf772408d54acdf822ec74e6c87b2f3
SHA512e611da1201584fbba1ee66c570eb963e71569febe0378da186bf60e46eeca685326b9e8f23bd368273511ca50783135cb98f5050b7c385631335a33bf9f3a9cd
-
Filesize
1KB
MD541e34a2989a97eff1a5fe7bfd65b0335
SHA100f438b5c7568061a07fc520738813f09f07cc5d
SHA2561d428267425c36c5494edb8d5aa3658523b87411d10f00eea2bc48d9dd3c7ceb
SHA512b150e1767dbc5ff4cc07dc28259d3addc1a38472deb03ef75b104390a625af99031c03539ecdef1c56af587ff74d6f9ff04621527cd20a4d0331c4eb39ec6ac9
-
Filesize
1KB
MD541e6711df7b6715b48231fa410e3304a
SHA1c16eac689da525f2ca8bf190b4a3c5ac6c67598b
SHA2564632787c354d8a98a8b02b50eb068d3b520ee9c7adc214940db81464ad3d57c9
SHA512f84c5f4687acab1b2f3b00c963913208552a7d16ddff973b44d817c9a8174ce36a9884db9a4b4783adcbbed1cc6a48c6fafe33bd4b0349dd26a4eb9b24ada92e
-
Filesize
1KB
MD5b2ff78603659759e8b4469151ca6acec
SHA12ec8601c1fa620bb116c7a3a89e8bfd666192bc4
SHA2565effcafa1726e015841deb0a3c12ac039ebccbc7de35a1e981017a43bce44925
SHA5125b61323b466f7e4ab155915ffcd7f512250b752efdbc9968463cea064a3bf435fc852c3d4e0b00e55172fea1892ee91e4d5b4669a70315af199252a0b01fa1e7
-
Filesize
874B
MD59f34a7554a172386144d7fe133228103
SHA10fe866b1f0093d4871d1db220efd022e017a89f1
SHA256181dda49c947e7dc4141743b11a17a64c3d57885c1987b5db16b7b44f4c74b5d
SHA512233db979952b7d26c6939164bd3661981ee9f9f997e1fe7c711bc5bade7c8d6e31ab5e8795d1fb84f32620faedaafdbe71ab3db92b6d793e0254efa8af465e6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bdbe1526-fedd-4b7a-a91f-d6682fcf1fb0.tmp
Filesize8KB
MD52be00a93769bc06773f9459c38e8b664
SHA1c5d551a222e375be1be11921abd2b47c35ea0499
SHA2562d79f39bf4313094354e22e3c4aa643894ef968fb58d7882335cc6a0ac28d290
SHA5126732a2f7d447952bc59e94bc3816834a4a0986b7fafddb85df6bdee01680ffb7d1ea4bfcbd40988fa92b82397fc4d33daeef6dad43db2b1cdecdb61a08d76a35
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51c2a291303dc9d18092c478d64bee53d
SHA1b6006f8412cb413b86eb734d8f26610183d519b9
SHA25681b2cd24f1afae870ffe64617be7494c1b4288b73f46a5318320c1415e620849
SHA5125fb09f63b057b2e7b0e88678439572f2f1f7b6c1c8fccaf71a4dc57d69518643cf2f240879f82a4345991e78e0fc127589ff064e9d2566d75cce74c01e169b00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD51cbb37687a01c1bd4c1104d89579672c
SHA15d97514ead45c3b577fd83fcb67e4a57ae06fa0c
SHA2565a0671d2b65cb905e03e9fb17e2cf9a2aa302af4f529a916f7e155d89db856e6
SHA512a50f203042a8cce26425cbfca64c86f8cb7f92c7002dfba738f8d346bfb1741e7455dcbee25cee410c0527861663161a419854e828bfca2e34608c0915de1af7
-
Filesize
904KB
MD5421643ee7bb89e6df092bc4b18a40ff8
SHA1e801582a6dd358060a699c9c5cde31cd07ee49ab
SHA256d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da
SHA512d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023
-
Filesize
1.1MB
MD5e612b2f3c68a7d5c34592c88778766b2
SHA1e18329c9f763f923682408032b7b35a4e62fdf81
SHA256403869ed494bcbc3e535b492f2ebfad95748049e203ff7c31ac1afb38d8909ed
SHA512753c8d4600595c0b83f1a5bca9da637d56d7778ffd74a90942ee243e6b998c113e372b35cde4aa90b4a11152176812e354a6c0761b169243ecf5d3a9c793b543
-
Filesize
216KB
MD5c4d90c83e2fe2693549c97433a61fff7
SHA1c0d15050b51b79838fce008279ad8aed835b0228
SHA2569c845f330716ed4228b6176b8fc9fd9ea90f687d6915c01ed5e5745537d5c1f4
SHA512467e3e0fcab89de5fe0af7ecf0a081ff25db10718d5a99f317fc0511d71c5b0e54141a25138bccce61ca7ac03c768da78ec8bf2e5bbb1fa73cb3fc632a5f869d
-
Filesize
416KB
MD5968b71f1a1ddeb430fd85b3935c0832e
SHA1e8f037a8cfd6c213efe9ab2674e67759dd83315d
SHA256b39fe8097e0ec833475e8d2d6f2ee15fa0360f2d2344a3962b2516e697476a0e
SHA51236322dbf6ee602e92d59638d14dc7a14e78a468fccd35351ddce6e3151d974bbc800f87c1a0aa6e3f000d2a76a8826c182c9c43b4628daa3b8d61db557b4e200
-
Filesize
3.2MB
MD55d74155c3195e27633e1609d45b1ce07
SHA1e1ea143d17a1700867bf1baea72a442109f27504
SHA2565f1b04e4a9cf5e1e3f3e11a4ff712702a102c93be276dd5da9c6927c4808575a
SHA5121d75aa24a3c9e161c36422aa543bbb60491ef5a8f497aee2fb29cb692170b6745b054dcd2ee8f881c68d182db033c04842fe2f1484385870488738d108145c36
-
Filesize
8KB
MD54e645d7b2898ecf396a3d11588b7a7e1
SHA1f46d4bcad68ce48d30c940ef2e24819d436d6d9a
SHA256a8ff74b484e337f8309cc42954578fc0e1e747af58d31df9bf017f7e83cb1037
SHA512a62e01457f195f45d316ee39a8e80241ccf988466e02d9d93cf5a331fab203833ced91bc661063bc7acf0699a745d30b090b67a18158046891523f32e96d66b5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CreatePolicyRegistries.exe.log
Filesize1KB
MD5480c164e1147059479578928631605fa
SHA1bafc2e08ba198af11d2b9c7f377150f9be21367b
SHA2562d4b853c113f9478a8320cf0b1f676a89b858f35e8e8a2e706da66b25f4e2971
SHA5123c0a0ee27f086a17cbee8b4f7f58d733eda8de66023f6766b573d7bfcca91fcc02baeef5ce2d7be7ae7d1d7fca9abe7d096c46e71e7826d85370827903dbff89