description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ZPXUwoB.exe

pid	Process
3676	Install.exe
1872	Install.exe
1760	ViDsktp.exe
4968	ZPXUwoB.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ZPXUwoB.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZPXUwoB.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ViDsktp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ViDsktp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ZPXUwoB.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ZPXUwoB.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ZPXUwoB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C	ZPXUwoB.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ZPXUwoB.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZPXUwoB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZPXUwoB.exe
File created	C:\Program Files (x86)\eCbNXTSQanJlC\SQwJLlX.dll	ZPXUwoB.exe
File created	C:\Program Files (x86)\wRLQelouU\OfNExw.dll	ZPXUwoB.exe
File created	C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\SqsewDY.dll	ZPXUwoB.exe
File created	C:\Program Files (x86)\eCbNXTSQanJlC\oFRUBuM.xml	ZPXUwoB.exe
File created	C:\Program Files (x86)\wRLQelouU\swJuFXJ.xml	ZPXUwoB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ZPXUwoB.exe
File created	C:\Program Files (x86)\OKneYAAzclQU2\kOXfrNTEYxQwn.dll	ZPXUwoB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ZPXUwoB.exe
File created	C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\ODmciAv.xml	ZPXUwoB.exe
File created	C:\Program Files (x86)\vcfECUarZbUn\UmJPIZO.dll	ZPXUwoB.exe
File created	C:\Program Files (x86)\OKneYAAzclQU2\CIAvEQQ.xml	ZPXUwoB.exe

description	ioc	Process
File created	C:\Windows\Tasks\boytPmuAkKgmiEZYSe.job	schtasks.exe
File created	C:\Windows\Tasks\tRsUEOedRvIwZoOQu.job	schtasks.exe
File created	C:\Windows\Tasks\xhAFLspUEGhlntx.job	schtasks.exe
File created	C:\Windows\Tasks\jwkhvtMiulvJCTqog.job	schtasks.exe

pid	Process
1852	schtasks.exe
2096	schtasks.exe
1368	schtasks.exe
600	schtasks.exe
1260	schtasks.exe
4448	schtasks.exe
232	schtasks.exe
3316	schtasks.exe
752	schtasks.exe
2148	schtasks.exe
2064	schtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ZPXUwoB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	ZPXUwoB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2616110-0000-0000-0000-d01200000000}	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	ZPXUwoB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ZPXUwoB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ZPXUwoB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2616110-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	ZPXUwoB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3"	ZPXUwoB.exe

pid	Process
1904	powershell.EXE
1904	powershell.EXE
1116	powershell.exe
1116	powershell.exe
3824	powershell.exe
3824	powershell.exe
2008	powershell.EXE
2008	powershell.EXE
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe
4968	ZPXUwoB.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 3676	2372	file.exe	83
PID 2372 wrote to memory of 3676	2372	file.exe	83
PID 2372 wrote to memory of 3676	2372	file.exe	83
PID 3676 wrote to memory of 1872	3676	Install.exe	84
PID 3676 wrote to memory of 1872	3676	Install.exe	84
PID 3676 wrote to memory of 1872	3676	Install.exe	84
PID 1872 wrote to memory of 4620	1872	Install.exe	85
PID 1872 wrote to memory of 4620	1872	Install.exe	85
PID 1872 wrote to memory of 4620	1872	Install.exe	85
PID 1872 wrote to memory of 3080	1872	Install.exe	87
PID 1872 wrote to memory of 3080	1872	Install.exe	87
PID 1872 wrote to memory of 3080	1872	Install.exe	87
PID 4620 wrote to memory of 1208	4620	forfiles.exe	89
PID 4620 wrote to memory of 1208	4620	forfiles.exe	89
PID 4620 wrote to memory of 1208	4620	forfiles.exe	89
PID 3080 wrote to memory of 1460	3080	forfiles.exe	90
PID 3080 wrote to memory of 1460	3080	forfiles.exe	90
PID 3080 wrote to memory of 1460	3080	forfiles.exe	90
PID 1460 wrote to memory of 4524	1460	cmd.exe	92
PID 1460 wrote to memory of 4524	1460	cmd.exe	92
PID 1460 wrote to memory of 4524	1460	cmd.exe	92
PID 1208 wrote to memory of 4332	1208	cmd.exe	91
PID 1208 wrote to memory of 4332	1208	cmd.exe	91
PID 1208 wrote to memory of 4332	1208	cmd.exe	91
PID 1460 wrote to memory of 3968	1460	cmd.exe	93
PID 1460 wrote to memory of 3968	1460	cmd.exe	93
PID 1460 wrote to memory of 3968	1460	cmd.exe	93
PID 1208 wrote to memory of 3540	1208	cmd.exe	94
PID 1208 wrote to memory of 3540	1208	cmd.exe	94
PID 1208 wrote to memory of 3540	1208	cmd.exe	94
PID 1872 wrote to memory of 232	1872	Install.exe	95
PID 1872 wrote to memory of 232	1872	Install.exe	95
PID 1872 wrote to memory of 232	1872	Install.exe	95
PID 1872 wrote to memory of 4308	1872	Install.exe	97
PID 1872 wrote to memory of 4308	1872	Install.exe	97
PID 1872 wrote to memory of 4308	1872	Install.exe	97
PID 1904 wrote to memory of 4752	1904	powershell.EXE	101
PID 1904 wrote to memory of 4752	1904	powershell.EXE	101
PID 1872 wrote to memory of 1432	1872	Install.exe	112
PID 1872 wrote to memory of 1432	1872	Install.exe	112

description	pid	Process
Token: SeDebugPrivilege	1904	powershell.EXE
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	2008	powershell.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.