xtremerat | a1e4e5dfc0798f9194bb5e16965764b6a5ba08be5491a60c0975060f45b4c219

Analysis

max time kernel
166s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 07:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Size

515KB
MD5

869361b96dca155765fcf89d7868b911
SHA1

807ecc63caa2addc58ffc035c13d67d6f8ec064e
SHA256

58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207
SHA512

9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610
SSDEEP

12288:IZDNRR3bbPwXT9EhfIYXsLGwO23cSdxFk/BPfos:IZDNRR3bbPwXT97YX1123BCBPfos

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe

Executes dropped EXE 12 IoCs

pid	Process
2548	windowrfirewall.exe
4912	windowrfirewall.exe
2668	windowrfirewall.exe
2628	windowrfirewall.exe
2212	windowrfirewall.exe
2388	windowrfirewall.exe
2828	windowrfirewall.exe
3180	windowrfirewall.exe
3108	windowrfirewall.exe
4208	windowrfirewall.exe
2644	windowrfirewall.exe
4856	windowrfirewall.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1808-167-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-169-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-170-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-172-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-175-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-177-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/1808-176-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/3160-240-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/3160-241-0x0000000001610000-0x0000000001715000-memory.dmp	upx
behavioral2/memory/3160-242-0x0000000001610000-0x0000000001715000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	windowrfirewall.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\firewaalwin = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\windowrfirewall.exe"	windowrfirewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	windowrfirewall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2548 set thread context of 4912	2548	windowrfirewall.exe	121
PID 2668 set thread context of 2628	2668	windowrfirewall.exe	126
PID 4912 set thread context of 1808	4912	windowrfirewall.exe	124
PID 2212 set thread context of 2388	2212	windowrfirewall.exe	147
PID 2828 set thread context of 3180	2828	windowrfirewall.exe	171
PID 3108 set thread context of 4208	3108	windowrfirewall.exe	193
PID 2644 set thread context of 4856	2644	windowrfirewall.exe	197
PID 4208 set thread context of 3160	4208	windowrfirewall.exe	195
PID 4856 set thread context of 3884	4856	windowrfirewall.exe	199

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File created	C:\Windows\InstallDir\windowrfirewall.exe	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
File opened for modification	C:\Windows\InstallDir\	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe
File opened for modification	C:\Windows\InstallDir\windowrfirewall.exe	windowrfirewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	explorer.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowrfirewall.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1808	explorer.exe
1808	explorer.exe
3160	explorer.exe
3160	explorer.exe
3884	explorer.exe
3884	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
2548	windowrfirewall.exe
2668	windowrfirewall.exe
1808	explorer.exe
2212	windowrfirewall.exe
2828	windowrfirewall.exe
2388	windowrfirewall.exe
3108	windowrfirewall.exe
2644	windowrfirewall.exe
3160	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 2088 wrote to memory of 4896	2088	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	83
PID 4896 wrote to memory of 1312	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	84
PID 4896 wrote to memory of 1312	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	84
PID 4896 wrote to memory of 1312	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	84
PID 4896 wrote to memory of 1312	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	84
PID 4896 wrote to memory of 1728	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	85
PID 4896 wrote to memory of 1728	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	85
PID 4896 wrote to memory of 2644	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	86
PID 4896 wrote to memory of 2644	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	86
PID 4896 wrote to memory of 2644	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	86
PID 4896 wrote to memory of 1688	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	87
PID 4896 wrote to memory of 1688	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	87
PID 4896 wrote to memory of 1688	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	87
PID 4896 wrote to memory of 2520	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	88
PID 4896 wrote to memory of 2520	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	88
PID 4896 wrote to memory of 1484	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	89
PID 4896 wrote to memory of 1484	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	89
PID 4896 wrote to memory of 1484	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	89
PID 4896 wrote to memory of 1516	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	90
PID 4896 wrote to memory of 1516	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	90
PID 4896 wrote to memory of 1056	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	91
PID 4896 wrote to memory of 1056	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	91
PID 4896 wrote to memory of 1056	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	91
PID 4896 wrote to memory of 1424	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	92
PID 4896 wrote to memory of 1424	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	92
PID 4896 wrote to memory of 8	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	93
PID 4896 wrote to memory of 8	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	93
PID 4896 wrote to memory of 8	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	93
PID 4896 wrote to memory of 532	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	94
PID 4896 wrote to memory of 532	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	94
PID 4896 wrote to memory of 668	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	95
PID 4896 wrote to memory of 668	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	95
PID 4896 wrote to memory of 668	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	95
PID 4896 wrote to memory of 2040	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	96
PID 4896 wrote to memory of 2040	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	96
PID 4896 wrote to memory of 3368	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	97
PID 4896 wrote to memory of 3368	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	97
PID 4896 wrote to memory of 3368	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	97
PID 4896 wrote to memory of 4676	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	98
PID 4896 wrote to memory of 4676	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	98
PID 4896 wrote to memory of 3468	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	99
PID 4896 wrote to memory of 3468	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	99
PID 4896 wrote to memory of 3468	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	99
PID 4896 wrote to memory of 1624	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	100
PID 4896 wrote to memory of 1624	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	100
PID 4896 wrote to memory of 3412	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	101
PID 4896 wrote to memory of 3412	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	101
PID 4896 wrote to memory of 3412	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	101
PID 4896 wrote to memory of 2636	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	102
PID 4896 wrote to memory of 2636	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	102
PID 4896 wrote to memory of 3472	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	103
PID 4896 wrote to memory of 3472	4896	aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe	103

C:\Users\Admin\AppData\Local\Temp\aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
"C:\Users\Admin\AppData\Local\Temp\aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe
  "C:\Users\Admin\AppData\Local\Temp\aquiestanlasfotosseveclaritolacaraparaquedespuesnoseniegueydigaquenoes.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Modifies registry class
    PID:1312
  - - C:\Windows\InstallDir\windowrfirewall.exe
      "C:\Windows\InstallDir\windowrfirewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2668
    - - C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3584
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:880
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4280
  - - C:\Windows\InstallDir\windowrfirewall.exe
      "C:\Windows\InstallDir\windowrfirewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2212
    - - C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:796
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4408
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2256
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4940
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5076
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1180
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:732
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4700
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1028
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:5104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4156
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1408
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4916
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2676
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2664
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3732
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3380
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4472
      - C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        7⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4192
  - - C:\Windows\InstallDir\windowrfirewall.exe
      "C:\Windows\InstallDir\windowrfirewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2828
    - - C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1356
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2820
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4296
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2712
  - - C:\Windows\InstallDir\windowrfirewall.exe
      "C:\Windows\InstallDir\windowrfirewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2644
    - - C:\Windows\InstallDir\windowrfirewall.exe
        
        "C:\Windows\InstallDir\windowrfirewall.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4292
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3608
- - C:\Windows\InstallDir\windowrfirewall.exe
    "C:\Windows\InstallDir\windowrfirewall.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2548
  - - C:\Windows\InstallDir\windowrfirewall.exe
      "C:\Windows\InstallDir\windowrfirewall.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      PID:4912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.nfo

Filesize
3KB

MD5
cb8e94fc236d01735a8ffc7e60dc7d6f

SHA1
3ead3bf4cdfebda3b07361399010fe6f13b25844

SHA256
db602efe15188b16ab171a56425fa375b54862754f905216de1c4977d2f1464b

SHA512
fb41e1c85ade4372153f49ae924894a28749403462d85ae709f15d61d3f082b7dc1a3753ee07b8871cffa712a19fca4b60b02038b229e68c4e73acaf053bb852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.svr

Filesize
346KB

MD5
b6d63330959896290103db9786bd33d6

SHA1
b2558e1b4c6d9e012801a6e6564cf44fa16d6d14

SHA256
38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24

SHA512
54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9l2b8f7g\9l2b8f7g.svr

Filesize
346KB

MD5
b6d63330959896290103db9786bd33d6

SHA1
b2558e1b4c6d9e012801a6e6564cf44fa16d6d14

SHA256
38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24

SHA512
54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
C:\Windows\InstallDir\windowrfirewall.exe

Filesize
515KB

MD5
869361b96dca155765fcf89d7868b911

SHA1
807ecc63caa2addc58ffc035c13d67d6f8ec064e

SHA256
58d573b8c45511e29212b3ee15545da2de871d1a8da0bd47120d3e73d84f8207

SHA512
9f963d4ec858025b8e29cad444559dacc4ffe25170ab9fccd27acbdf0929131a1c9dab759073179bdc1d6130bd79843ac54eb7f4fee0f74a3322a1fe34f11610

Download Submit
memory/1312-142-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/1808-175-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-182-0x0000000001611000-0x00000000016BD000-memory.dmp

Filesize
688KB

Download
memory/1808-172-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-185-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/1808-169-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-177-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-176-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-167-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1808-184-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/1808-180-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/1808-170-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/2088-132-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2212-188-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2388-243-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2388-196-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2388-195-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2548-146-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2628-183-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2628-181-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/3108-212-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3160-241-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/3160-240-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/3160-242-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/3160-258-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/3160-248-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/3180-208-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/3180-209-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/3884-256-0x00000000016BD000-0x0000000001713000-memory.dmp

Filesize
344KB

Download
memory/4208-220-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4208-257-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4856-246-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-136-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-137-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-138-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-139-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-143-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4896-174-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/4912-163-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download