f79669d34e38545d8c1904b88aa4f9b9ecd9312f98a39c1fec1bc3bacf3f4897

Analysis

max time kernel
129s
max time network
134s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

41fd50bcd68c5a987282082753fe4650
SHA1

2f5c5e5cd680412a01212986f99c6b85808078aa
SHA256

f79669d34e38545d8c1904b88aa4f9b9ecd9312f98a39c1fec1bc3bacf3f4897
SHA512

f5f1c75fbff98645318ec817e3b74163cd1bfef9cd1e26d31040077d421ae68caab73e90ba665af31bf680367556f3bb6d2980844737516d6a466232478647c6
SSDEEP

196608:91OSuiOHmQAEO5tQ51Rzg3ricHwdPCjmsLAXt/qaiiSAavY/5KiT/lA:3OhdGQE05vSrwPCqsLyhq7AumLlA

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

29 1340 rundll32.exe
30 1340 rundll32.exe
31 1340 rundll32.exe
32 1340 rundll32.exe
33 1340 rundll32.exe
35 1340 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeORfqfRp.exeTBuhmgk.exe

pid process

1288 Install.exe
932 Install.exe
1940 ORfqfRp.exe
592 TBuhmgk.exe

flow	pid	process
29	1340	rundll32.exe
30	1340	rundll32.exe
31	1340	rundll32.exe
32	1340	rundll32.exe
33	1340	rundll32.exe
35	1340	rundll32.exe

pid	process
1288	Install.exe
932	Install.exe
1940	ORfqfRp.exe
592	TBuhmgk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

TBuhmgk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation TBuhmgk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	TBuhmgk.exe

Loads dropped DLL 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1300	file.exe
1288	Install.exe
1288	Install.exe
1288	Install.exe
1288	Install.exe
932	Install.exe
932	Install.exe
932	Install.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

TBuhmgk.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	TBuhmgk.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	TBuhmgk.exe

Drops file in System32 directory 23 IoCs

Processes:

TBuhmgk.exepowershell.EXEORfqfRp.exepowershell.EXEInstall.exepowershell.EXEpowershell.EXErundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	TBuhmgk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ORfqfRp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	TBuhmgk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TBuhmgk.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	TBuhmgk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ORfqfRp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	TBuhmgk.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ORfqfRp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	TBuhmgk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Drops file in Program Files directory 13 IoCs

Processes:

TBuhmgk.exe

description	ioc	process
File created	C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\DoXRRMA.xml	TBuhmgk.exe
File created	C:\Program Files (x86)\aJAQLsoDkiWqC\OlQOpJN.xml	TBuhmgk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	TBuhmgk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	TBuhmgk.exe
File created	C:\Program Files (x86)\SHsJRQZsU\kTfNEpT.xml	TBuhmgk.exe
File created	C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\DqNmGVH.dll	TBuhmgk.exe
File created	C:\Program Files (x86)\ATZmuaBwNwmU2\DOqXcKO.xml	TBuhmgk.exe
File created	C:\Program Files (x86)\aJAQLsoDkiWqC\gsIyvyK.dll	TBuhmgk.exe
File created	C:\Program Files (x86)\QYiUKrukFVUn\utybmGA.dll	TBuhmgk.exe
File created	C:\Program Files (x86)\SHsJRQZsU\VmFcYJ.dll	TBuhmgk.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	TBuhmgk.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	TBuhmgk.exe
File created	C:\Program Files (x86)\ATZmuaBwNwmU2\eVimiFjcPYqJn.dll	TBuhmgk.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job	schtasks.exe
File created	C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job	schtasks.exe
File created	C:\Windows\Tasks\DNDvMcbpefrYjKZ.job	schtasks.exe
File created	C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1324	schtasks.exe
1604	schtasks.exe
1676	schtasks.exe
1368	schtasks.exe
1540	schtasks.exe
880	schtasks.exe
920	schtasks.exe
1956	schtasks.exe
1684	schtasks.exe
1452	schtasks.exe
1532	schtasks.exe
1608	schtasks.exe
1520	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

rundll32.exeTBuhmgk.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\WpadDecisionTime = c078c2c7eccfd801	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	TBuhmgk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\b2-de-03-54-62-3a	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	TBuhmgk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecisionReason = "1"	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecision = "0"	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a	TBuhmgk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecisionTime = c078c2c7eccfd801	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	TBuhmgk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\b2-de-03-54-62-3a	TBuhmgk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	TBuhmgk.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TBuhmgk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	TBuhmgk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	TBuhmgk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXETBuhmgk.exe

pid	process
1700	powershell.EXE
1700	powershell.EXE
1700	powershell.EXE
112	powershell.EXE
112	powershell.EXE
112	powershell.EXE
1264	powershell.EXE
1264	powershell.EXE
1264	powershell.EXE
1864	powershell.EXE
1864	powershell.EXE
1864	powershell.EXE
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe
592	TBuhmgk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1700	powershell.EXE
Token: SeDebugPrivilege	112	powershell.EXE
Token: SeDebugPrivilege	1264	powershell.EXE
Token: SeDebugPrivilege	1864	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1300 wrote to memory of 1288	1300	file.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 1288 wrote to memory of 932	1288	Install.exe	Install.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 2028	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 932 wrote to memory of 1588	932	Install.exe	forfiles.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 984	2028	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 1588 wrote to memory of 1972	1588	forfiles.exe	cmd.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 984 wrote to memory of 960	984	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1732	1972	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 984 wrote to memory of 852	984	cmd.exe	reg.exe
PID 1972 wrote to memory of 1772	1972	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:984

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:960

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:852

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1972

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1732

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1772

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsgDhsqQj" /SC once /ST 04:06:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsgDhsqQj"
4⤵
PID:1180

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsgDhsqQj"
4⤵
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 08:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\ORfqfRp.exe\" 3x /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\taskeng.exe
taskeng.exe {9A6228B2-40B6-4D89-A88A-102951D5FBBE} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1680

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:824

C:\Windows\system32\taskeng.exe
taskeng.exe {A0F1DA24-8C91-4DFB-8B0E-19CE4D5CFAFE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\ORfqfRp.exe
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\ORfqfRp.exe 3x /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "geHSMQaoA" /SC once /ST 07:37:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "geHSMQaoA"
3⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "geHSMQaoA"
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:820

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:908

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1452

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqsImGWAp" /SC once /ST 04:17:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqsImGWAp"
3⤵
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqsImGWAp"
3⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:824

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\MYjwJFnMfsmfKHMw\UoVkXyFP\oUmEXnpRXMkMJWeO.wsf"
3⤵
PID:668

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\MYjwJFnMfsmfKHMw\UoVkXyFP\oUmEXnpRXMkMJWeO.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
PID:908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIXNqsdsD" /SC once /ST 07:51:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIXNqsdsD"
3⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIXNqsdsD"
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 06:35:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\TBuhmgk.exe\" aF /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "VgOpnHVQDAdMZqNFB"
3⤵
PID:1432

C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\TBuhmgk.exe
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\TBuhmgk.exe aF /site_id 525403 /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:592

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:888

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\VmFcYJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1452

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\kTfNEpT.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DNDvMcbpefrYjKZ"
3⤵
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"
3⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\DOqXcKO.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\JgcjyfS.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\DoXRRMA.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\OlQOpJN.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 02:10:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll\",#1 /site_id 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:920

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mDNVJgqIdbaAfzWWp"
3⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
4⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"
3⤵
PID:752

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll",#1 /site_id 525403
2⤵
PID:960

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll",#1 /site_id 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"
4⤵
PID:576

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1632

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1863771635-7597620641291998015240058151-766131117-87487558817179748721400259219"
1⤵
- Windows security bypass
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-117054073719680839631963722168-1206427419-1146109303129674916-1574249367666608210"
1⤵
PID:1324

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATZmuaBwNwmU2\DOqXcKO.xml
Filesize
2KB

MD5
7445b66872e864f0e9409efdff2e1deb

SHA1
e4b7aa2328e03e3edf11516db365a547f6cc8745

SHA256
20130e0004ec0595f7c5087178c89247a17ad6d038146c5cf28f2f1176a3587e

SHA512
8c055e47c4b764c5e67f75346230cdcce06515266b1c62a9e769bba6e2ef0155702ad6f7bc676ba342d1b1eb66255e4698142e9d340dfdcc7cb5a45e72c05627

Download Submit
C:\Program Files (x86)\SHsJRQZsU\kTfNEpT.xml
Filesize
2KB

MD5
09e63cf032321c0715492cc6f446f805

SHA1
dfffd0dba6cb44fd68c4722cc89b4877afaa751e

SHA256
ce71993001d3d4ac3146c251acc087dd7d97f12b2afd125f2e4859c39a299390

SHA512
2ff104ee11e12f3e1c92166e4ffd40e24f5c2d79e1cdf88c9c89c00fd963d93d316daf1b700e21a35c66a6f0c4d49fc3ea4140af2ea198600faa3ee3d0a9f3e1

Download Submit
C:\Program Files (x86)\aJAQLsoDkiWqC\OlQOpJN.xml
Filesize
2KB

MD5
a02009d430ba16f682b6440e30ee454e

SHA1
439a9c21bc764ec19e4d679b6bf0b677017ce78b

SHA256
62d90d91634de8af471457bd093e6f57b005e8609ab7bc7acc3ea261868d4651

SHA512
a46c48ae3477678c6bb3d7fb9434713ce3d8eb3ed9ffc520afd46219ed20249efca69e80706832dc76defc21d064445ac69c306708bb3a9c070d1109ea56af02

Download Submit
C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\DoXRRMA.xml
Filesize
2KB

MD5
d604a2b468d0d87759bc743e0ed6a109

SHA1
7bd57cd8b15d9ec9d8ff0f713a17cb6cb82dedda

SHA256
78f5821c82061f083bd4763e91774140f3863204f764a8b0c302919a50f07e44

SHA512
75f6dd801523fa367e756ffef84509696259f7c56167194917edd6a96565968363ba6c1a3fa790f8d586aca78e6a06c75acf7509eb10e44b968da63800f141fd

Download Submit
C:\ProgramData\fxkldoUMcXUSOxVB\JgcjyfS.xml
Filesize
2KB

MD5
c7802f1bb7cd2566d63136a19a3a751a

SHA1
61a9cb564bac28d9fd25045b9959c67340891447

SHA256
3a3074985cfa0e57b1ceb7e8f3e194e6af6cd375db4851e549ba2b1a754786a1

SHA512
2de08c79374738b3631d8d94f726fc19f1a6c39aa9f641f3f2dad51311e841e391314aedc3e121ed6a5c8f71b0298328f11492ddf65cd4d75d7a6fdf863d25e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\ORfqfRp.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\ORfqfRp.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d45c3cc6a361c6eb2f256c5ca0360e66

SHA1
b1f62cfeb0bc0ef2f618c8d31f01c5063b3e9de8

SHA256
cd51a232565b1c0e1dfb638b834e38d9a07a10d907f8644274f69a231885965f

SHA512
40418757b0efda7a50327fc72224e4e2dae1548e11b5417d68c34392bf859db2b3c4973e1fae48060288fcfe69316a694bcbc94060d889eb265e220120ee26d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc3978a2ca148c12c67e3a38145c98da

SHA1
317a803d6fe03b0072cde91331e6067d93b8206d

SHA256
ded0dcd2edbe18f82d999e0988e4b054656198d07cbe194aac4d1a1fcf2335ac

SHA512
eade964d929d668f8efe38387e3b460e0c04c4227a5170c469dbfe31e9e780ccc74882bc14edecaed6ea2e8fede14f52da7503c368634444d250c253913fd657

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
219371cf02c3482b55ae534af272d5af

SHA1
0bc1aa12abb25411eee12275574d9fee167202ba

SHA256
a45dc736d71e6cba9832750463662ddb7cd3496181b06afa59e201c03ad43fcd

SHA512
47023618b1407ef25bbee2e16310c4fd37a7fce2935bd233aa1d07265e57fb3a20bb82864ed6e2b93809691d3b8e481df1198fc587f07c285416010750004333

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\TBuhmgk.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\TBuhmgk.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\UoVkXyFP\oUmEXnpRXMkMJWeO.wsf
Filesize
8KB

MD5
cbe443be369f9764df4099d61d3ac5a0

SHA1
2963d3e0fa8521b769359e3de32b27fbe2d9930b

SHA256
b4bc0148762fd68ddc846f9b695710605abc332d09ce452b63ee4375920d9235

SHA512
e2833d63d32245bfc0c15cb46035b53bfb7aa033a10fd61bc17e5221e3b342bfcfb38cf5838a914d4a31c73065e373005093355f17416b92f266e3fa54903bba

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
e2436407f179c09e369dd38df9fafcc6

SHA1
d0fba43460b9348336da2e405a69c463f7573e82

SHA256
2f936e14255a9c0b6ccb4772f00504d34aa3288ea431680752a84ad1f9196d14

SHA512
ff3bb873625f685b707f056990c9735e53d156d2ea599de6f6568632d84b9fccf1ac8efc0fe457c1588d92c0cfb9c0c5ca07503ca9d27183d223f172023599ae

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS15A4.tmp\Install.exe
Filesize
6.4MB

MD5
06b64c495a9fd1fd269126d86934eb24

SHA1
5e0edd1905f7bdd65e0e232dbba9eb1705f63f54

SHA256
20d1cc7499b76a76d3e66dc4c5f2c3ce2fc49bcceaf7af523245a63d2a9457b3

SHA512
05d984d5106df489b592fc05f253df05c444169b893b6acc4f6c34bd16c8699b08aead64e966f2301a6fc4f8b81fbb912ea3436eb2ee4da56a25f5f5b97325c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2740.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\HnxIqqsb\zbHHalI.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
memory/112-124-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/112-117-0x0000000000000000-mapping.dmp

Download
memory/112-142-0x0000000000000000-mapping.dmp

Download
memory/112-125-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/112-122-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/112-121-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/112-120-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/276-160-0x0000000000000000-mapping.dmp

Download
memory/296-100-0x0000000000000000-mapping.dmp

Download
memory/396-167-0x0000000000000000-mapping.dmp

Download
memory/396-126-0x0000000000000000-mapping.dmp

Download
memory/548-168-0x0000000000000000-mapping.dmp

Download
memory/568-175-0x0000000000000000-mapping.dmp

Download
memory/592-200-0x00000000040D0000-0x0000000004137000-memory.dmp

Filesize
412KB

Download
memory/592-195-0x0000000004290000-0x0000000004315000-memory.dmp

Filesize
532KB

Download
memory/592-214-0x0000000005110000-0x00000000051C6000-memory.dmp

Filesize
728KB

Download
memory/592-155-0x0000000000000000-mapping.dmp

Download
memory/592-210-0x00000000045F0000-0x000000000466C000-memory.dmp

Filesize
496KB

Download
memory/668-151-0x0000000000000000-mapping.dmp

Download
memory/780-173-0x0000000000000000-mapping.dmp

Download
memory/820-127-0x0000000000000000-mapping.dmp

Download
memory/824-147-0x0000000000000000-mapping.dmp

Download
memory/852-86-0x0000000000000000-mapping.dmp

Download
memory/852-157-0x0000000000000000-mapping.dmp

Download
memory/888-158-0x0000000000000000-mapping.dmp

Download
memory/908-129-0x0000000000000000-mapping.dmp

Download
memory/912-177-0x0000000000000000-mapping.dmp

Download
memory/932-64-0x0000000000000000-mapping.dmp

Download
memory/932-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/960-82-0x0000000000000000-mapping.dmp

Download
memory/984-77-0x0000000000000000-mapping.dmp

Download
memory/992-123-0x0000000000000000-mapping.dmp

Download
memory/992-145-0x0000000000000000-mapping.dmp

Download
memory/1020-159-0x0000000000000000-mapping.dmp

Download
memory/1020-174-0x0000000000000000-mapping.dmp

Download
memory/1180-92-0x0000000000000000-mapping.dmp

Download
memory/1204-149-0x0000000000000000-mapping.dmp

Download
memory/1236-171-0x0000000000000000-mapping.dmp

Download
memory/1260-156-0x0000000000000000-mapping.dmp

Download
memory/1264-136-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1264-140-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1264-138-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1264-141-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/1264-137-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/1264-133-0x0000000000000000-mapping.dmp

Download
memory/1288-56-0x0000000000000000-mapping.dmp

Download
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1324-172-0x0000000000000000-mapping.dmp

Download
memory/1324-115-0x0000000000000000-mapping.dmp

Download
memory/1340-220-0x0000000001210000-0x0000000002210000-memory.dmp

Filesize
16.0MB

Download
memory/1360-152-0x0000000000000000-mapping.dmp

Download
memory/1368-144-0x0000000000000000-mapping.dmp

Download
memory/1368-164-0x0000000000000000-mapping.dmp

Download
memory/1452-130-0x0000000000000000-mapping.dmp

Download
memory/1484-148-0x0000000000000000-mapping.dmp

Download
memory/1520-90-0x0000000000000000-mapping.dmp

Download
memory/1528-146-0x0000000000000000-mapping.dmp

Download
memory/1588-76-0x0000000000000000-mapping.dmp

Download
memory/1604-131-0x0000000000000000-mapping.dmp

Download
memory/1608-103-0x0000000000000000-mapping.dmp

Download
memory/1608-150-0x0000000000000000-mapping.dmp

Download
memory/1624-132-0x0000000000000000-mapping.dmp

Download
memory/1632-163-0x0000000000000000-mapping.dmp

Download
memory/1676-166-0x0000000000000000-mapping.dmp

Download
memory/1676-128-0x0000000000000000-mapping.dmp

Download
memory/1700-97-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/1700-143-0x0000000000000000-mapping.dmp

Download
memory/1700-94-0x0000000000000000-mapping.dmp

Download
memory/1700-95-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1700-96-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1700-98-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1700-99-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1700-101-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1700-102-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1712-169-0x0000000000000000-mapping.dmp

Download
memory/1732-83-0x0000000000000000-mapping.dmp

Download
memory/1736-116-0x0000000000000000-mapping.dmp

Download
memory/1772-87-0x0000000000000000-mapping.dmp

Download
memory/1864-183-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1864-197-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1864-180-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/1864-181-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/1864-182-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1864-184-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1920-165-0x0000000000000000-mapping.dmp

Download
memory/1940-108-0x0000000000000000-mapping.dmp

Download
memory/1956-105-0x0000000000000000-mapping.dmp

Download
memory/1972-170-0x0000000000000000-mapping.dmp

Download
memory/1972-80-0x0000000000000000-mapping.dmp

Download
memory/2000-162-0x0000000000000000-mapping.dmp

Download
memory/2028-74-0x0000000000000000-mapping.dmp

Download
memory/2036-161-0x0000000000000000-mapping.dmp

Download
memory/2036-139-0x0000000000000000-mapping.dmp

Download
memory/2036-176-0x0000000000000000-mapping.dmp

Download