2b193c1251757591cd592b0ef2970ac5ecacf466129c0c726a5ee8e18cf7cd63

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

418648cb95a53e3c7787919ed5fb1227
SHA1

dc8fbd95294dd14e4621cdc61df4206e19866ac0
SHA256

2b193c1251757591cd592b0ef2970ac5ecacf466129c0c726a5ee8e18cf7cd63
SHA512

1c48d219036651c570e1fb1908187ff09e68f34049fad1b7a4c2a85b6350fc1f18997a1f277a7c3b59ed2fc4ee53e802533b03e53588c6fcd7ecf2479e5c7ced
SSDEEP

196608:91OEmP+Vsf/HONWZ7X9xgqS+s5SQoDuJK6w4+5A:3OnNHZr8qh6w4+u

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCMDmHxGrLJHC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jIUrjTqJU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VnSvEXTIbraTatzTOsR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\twylNxKJekDU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\CEEEIGvNcEpIBnVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\twylNxKJekDU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCMDmHxGrLJHC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nVCmSimpmwUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\CEEEIGvNcEpIBnVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VnSvEXTIbraTatzTOsR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jIUrjTqJU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nVCmSimpmwUn = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1620	Install.exe
1704	Install.exe
1464	gyfbCuh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1612	file.exe
1620	Install.exe
1620	Install.exe
1620	Install.exe
1620	Install.exe
1704	Install.exe
1704	Install.exe
1704	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	gyfbCuh.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	gyfbCuh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	gyfbCuh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1940	schtasks.exe
568	schtasks.exe
1176	schtasks.exe
288	schtasks.exe
1616	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1064	powershell.EXE
1064	powershell.EXE
1064	powershell.EXE
1572	powershell.EXE
1572	powershell.EXE
1572	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
1120	powershell.EXE
1120	powershell.EXE
1120	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	powershell.EXE
Token: SeDebugPrivilege	1572	powershell.EXE
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	1120	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 832	1704	Install.exe	29
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1704 wrote to memory of 1748	1704	Install.exe	31
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 1748 wrote to memory of 2040	1748	forfiles.exe	33
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 832 wrote to memory of 1400	832	forfiles.exe	34
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 1400 wrote to memory of 1856	1400	cmd.exe	36
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 2040 wrote to memory of 568	2040	cmd.exe	35
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 2040 wrote to memory of 1048	2040	cmd.exe	37
PID 1400 wrote to memory of 1640	1400	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1856
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:568
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1048
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gobwewRSb" /SC once /ST 07:33:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gobwewRSb"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gobwewRSb"
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 11:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\gyfbCuh.exe\" d8 /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {C6CEFF1E-175C-4944-9999-9CE22B21433F} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1332

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:788

C:\Windows\system32\taskeng.exe
taskeng.exe {D00A7D8F-BC2F-448A-A8A0-412C76EF3B63} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\gyfbCuh.exe
  C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\gyfbCuh.exe d8 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gebTEfBIZ" /SC once /ST 05:13:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gebTEfBIZ"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gebTEfBIZ"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gqDfVFIVn" /SC once /ST 09:35:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gqDfVFIVn"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gqDfVFIVn"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\fwhiGQHhSfnZUzkc\GMTlFsUZ\kklsufXJGyskLsbc.wsf"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\fwhiGQHhSfnZUzkc\GMTlFsUZ\kklsufXJGyskLsbc.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzkIYRjHz" /SC once /ST 04:27:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:288
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzkIYRjHz"
    3⤵
    PID:764

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2008

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1796

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\gyfbCuh.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\gyfbCuh.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
66f32d0077460a297cc680ee89c5cecb

SHA1
70da7f19b84afb36f327065791e945bc07effda8

SHA256
f8f835683678eeb52900b9899cf9796913b02d34cb861a0162dd0549d3319111

SHA512
59b7646aaf16aa042d8171f340c0bc5dd85e272f45e2a5dd54911200a0a755bf30b0317b71d49992ac285bae9c4e34622962e0957909601460e2df87e47266d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9a40362cbd5d4cb3f742c582e1d961d3

SHA1
5b39f962db215bb26df8ff5c8310c39a4b5ebca4

SHA256
2903de956cfc05aa14f15ea00f627697222b8b6241d2505cc59bf25a1f88675b

SHA512
b3fc3952f9e6851e175fb1e83320bd625d6d95ea2f76ff32f5fff0d1197794a9e10f906f8fb021a6f6648e80c4afec2bfcd602944ba3aad1d370ff9d1af7bf34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
02f7ae2b83d06abcce9ff24dcc33d914

SHA1
6ac89c197ba40dded1a3864285bc8bb1fe8caff3

SHA256
731e2fa0eb5c14a93d920d45d648ce15b765f908c7f4a5fee92f8436fa945d04

SHA512
399cbb5d1a14c4a75c927996cf9e16fec26377f2b5d6b1bfe843a5df2be074a07312a3d8e41141db825bbc476e322c0384c3796edc527eb169d14c2a7cad6a4e

Download Submit
C:\Windows\Temp\fwhiGQHhSfnZUzkc\GMTlFsUZ\kklsufXJGyskLsbc.wsf

Filesize
8KB

MD5
5b3f1ba5f8da1c1ddc9f410f31c02036

SHA1
b77ecff49653e4fdd9fc924d38c9bce4d914c0b9

SHA256
cbb4ac13ddff18affe959b7b64a737fb0453344a7027db2d4707b88f0f27a9e6

SHA512
9f473721fc259de336d7eeef3b6714e509f87549b840c86b3acf6baeb88afb75bfdff74df912fd454bf27f758ecbf1a28b57437ad3196f7b497a4ba997aa9c23

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7AAD.tmp\Install.exe

Filesize
6.2MB

MD5
6df57bf365098164b09d368e4be05947

SHA1
cad208e99e1c5015bc8dd7462b87879911620c75

SHA256
f20215200835513b65001afc94b0c3a002a0401eee41d36c23c2e31cb5e8c547

SHA512
a7f6a8f920504e2c36a86f43ef172c32ea7b90112d2eea28db190d43764a47c722e6a9294c1db94e85d8936bf4ca78edc6356c425b075e2c08a2cd2550489613

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B01.tmp\Install.exe

Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
memory/1064-98-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1064-102-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1064-103-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1064-95-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1064-96-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/1064-97-0x000007FEF2EB0000-0x000007FEF3A0D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-99-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1064-100-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1120-186-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1120-183-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1120-185-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1120-182-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1120-184-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1572-122-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1572-124-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1572-121-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1572-123-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/1572-127-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/1572-126-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1704-73-0x0000000010000000-0x0000000010B5F000-memory.dmp

Filesize
11.4MB

Download
memory/2024-143-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/2024-142-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2024-140-0x000007FEF2AB0000-0x000007FEF360D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-139-0x000007FEF3610000-0x000007FEF4033000-memory.dmp

Filesize
10.1MB

Download