nanocore | 5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

524KB
MD5

81ffddf2c1d7905204a67f6577e2dc68
SHA1

a89c37a3e12a46ac714887d509a1849791b4b244
SHA256

5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
SHA512

b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
SSDEEP

6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP

Score

10^/10

nanocore discovery evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes

activate_away_mode
true
backup_connection_host
original-financial.gl.at.ply.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-13T19:32:56.304391136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28916
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3532	powershell.exe
1012	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	injection.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 64 IoCs

pid	Process
2912	111111111111111111111111111111111111.exe
4740	injection.exe
2428	111111111111111111111111111111111111.exe
2508	injection.exe
2904	111111111111111111111111111111111111.exe
776	injection.exe
3292	111111111111111111111111111111111111.exe
2704	injection.exe
3808	wlanext.exe
1564	111111111111111111111111111111111111.exe
4452	injection.exe
2840	111111111111111111111111111111111111.exe
4004	injection.exe
268	111111111111111111111111111111111111.exe
5012	injection.exe
5084	111111111111111111111111111111111111.exe
4888	injection.exe
2696	111111111111111111111111111111111111.exe
1640	injection.exe
2412	111111111111111111111111111111111111.exe
4116	injection.exe
100	111111111111111111111111111111111111.exe
3604	injection.exe
4368	111111111111111111111111111111111111.exe
976	injection.exe
4360	111111111111111111111111111111111111.exe
4848	injection.exe
4804	111111111111111111111111111111111111.exe
4008	injection.exe
528	111111111111111111111111111111111111.exe
1344	injection.exe
2492	111111111111111111111111111111111111.exe
2540	injection.exe
4336	111111111111111111111111111111111111.exe
4780	injection.exe
3116	111111111111111111111111111111111111.exe
2528	injection.exe
3232	111111111111111111111111111111111111.exe
2092	injection.exe
4000	111111111111111111111111111111111111.exe
300	injection.exe
1684	111111111111111111111111111111111111.exe
3352	injection.exe
4084	111111111111111111111111111111111111.exe
288	injection.exe
4116	111111111111111111111111111111111111.exe
2540	injection.exe
2928	111111111111111111111111111111111111.exe
464	injection.exe
3056	111111111111111111111111111111111111.exe
4460	injection.exe
1424	111111111111111111111111111111111111.exe
1204	injection.exe
3624	111111111111111111111111111111111111.exe
3996	injection.exe
4368	111111111111111111111111111111111111.exe
3672	injection.exe
280	111111111111111111111111111111111111.exe
284	injection.exe
3252	111111111111111111111111111111111111.exe
4128	injection.exe
4288	111111111111111111111111111111111111.exe
5084	injection.exe
436	111111111111111111111111111111111111.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	111111111111111111111111111111111111.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	discord.com
18	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2912	111111111111111111111111111111111111.exe
2912	111111111111111111111111111111111111.exe
2912	111111111111111111111111111111111111.exe
3532	powershell.exe
3532	powershell.exe
1012	powershell.exe
1012	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	111111111111111111111111111111111111.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	injection.exe
Token: SeDebugPrivilege	2912	111111111111111111111111111111111111.exe
Token: SeBackupPrivilege	1360	vssvc.exe
Token: SeRestorePrivilege	1360	vssvc.exe
Token: SeAuditPrivilege	1360	vssvc.exe
Token: SeDebugPrivilege	2508	injection.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	776	injection.exe
Token: SeDebugPrivilege	2704	injection.exe
Token: SeDebugPrivilege	3808	wlanext.exe
Token: SeDebugPrivilege	3808	wlanext.exe
Token: SeDebugPrivilege	4452	injection.exe
Token: SeDebugPrivilege	4004	injection.exe
Token: SeDebugPrivilege	5012	injection.exe
Token: SeDebugPrivilege	4888	injection.exe
Token: SeDebugPrivilege	1640	injection.exe
Token: SeDebugPrivilege	4116	injection.exe
Token: SeDebugPrivilege	3604	injection.exe
Token: SeDebugPrivilege	976	injection.exe
Token: SeDebugPrivilege	4848	injection.exe
Token: SeDebugPrivilege	4008	injection.exe
Token: SeDebugPrivilege	1344	injection.exe
Token: SeDebugPrivilege	2540	injection.exe
Token: SeDebugPrivilege	4780	injection.exe
Token: SeDebugPrivilege	2528	injection.exe
Token: SeDebugPrivilege	2092	injection.exe
Token: SeDebugPrivilege	300	injection.exe
Token: SeDebugPrivilege	3352	injection.exe
Token: SeDebugPrivilege	288	injection.exe
Token: SeDebugPrivilege	2540	injection.exe
Token: SeDebugPrivilege	464	injection.exe
Token: SeDebugPrivilege	4460	injection.exe
Token: SeDebugPrivilege	1204	injection.exe
Token: SeDebugPrivilege	3996	injection.exe
Token: SeDebugPrivilege	3672	injection.exe
Token: SeDebugPrivilege	284	injection.exe
Token: SeDebugPrivilege	4128	injection.exe
Token: SeDebugPrivilege	5084	injection.exe
Token: SeDebugPrivilege	2428	injection.exe
Token: SeDebugPrivilege	5012	injection.exe
Token: SeDebugPrivilege	4776	injection.exe
Token: SeDebugPrivilege	2236	injection.exe
Token: SeDebugPrivilege	1344	injection.exe
Token: SeDebugPrivilege	1416	injection.exe
Token: SeDebugPrivilege	3380	injection.exe
Token: SeDebugPrivilege	3776	injection.exe
Token: SeDebugPrivilege	5092	injection.exe
Token: SeDebugPrivilege	5036	injection.exe
Token: SeDebugPrivilege	2376	injection.exe
Token: SeDebugPrivilege	3116	injection.exe
Token: SeDebugPrivilege	2400	injection.exe
Token: SeDebugPrivilege	3840	injection.exe
Token: SeDebugPrivilege	2268	injection.exe
Token: SeDebugPrivilege	2000	injection.exe
Token: SeDebugPrivilege	4552	injection.exe
Token: SeDebugPrivilege	4340	injection.exe
Token: SeDebugPrivilege	3616	injection.exe
Token: SeDebugPrivilege	4156	injection.exe
Token: SeDebugPrivilege	3116	injection.exe
Token: SeDebugPrivilege	4624	injection.exe
Token: SeDebugPrivilege	3820	injection.exe
Token: SeDebugPrivilege	3600	injection.exe
Token: SeDebugPrivilege	224	injection.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2912	1204	Setup.exe	82
PID 1204 wrote to memory of 2912	1204	Setup.exe	82
PID 1204 wrote to memory of 2912	1204	Setup.exe	82
PID 1204 wrote to memory of 4740	1204	Setup.exe	83
PID 1204 wrote to memory of 4740	1204	Setup.exe	83
PID 1204 wrote to memory of 1632	1204	Setup.exe	84
PID 1204 wrote to memory of 1632	1204	Setup.exe	84
PID 4740 wrote to memory of 3532	4740	injection.exe	89
PID 4740 wrote to memory of 3532	4740	injection.exe	89
PID 1632 wrote to memory of 2428	1632	Setup.exe	91
PID 1632 wrote to memory of 2428	1632	Setup.exe	91
PID 1632 wrote to memory of 2428	1632	Setup.exe	91
PID 1632 wrote to memory of 2508	1632	Setup.exe	92
PID 1632 wrote to memory of 2508	1632	Setup.exe	92
PID 1632 wrote to memory of 1492	1632	Setup.exe	93
PID 1632 wrote to memory of 1492	1632	Setup.exe	93
PID 4740 wrote to memory of 1012	4740	injection.exe	94
PID 4740 wrote to memory of 1012	4740	injection.exe	94
PID 1492 wrote to memory of 2904	1492	Setup.exe	96
PID 1492 wrote to memory of 2904	1492	Setup.exe	96
PID 1492 wrote to memory of 2904	1492	Setup.exe	96
PID 1492 wrote to memory of 776	1492	Setup.exe	97
PID 1492 wrote to memory of 776	1492	Setup.exe	97
PID 1492 wrote to memory of 3080	1492	Setup.exe	98
PID 1492 wrote to memory of 3080	1492	Setup.exe	98
PID 3080 wrote to memory of 3292	3080	Setup.exe	99
PID 3080 wrote to memory of 3292	3080	Setup.exe	99
PID 3080 wrote to memory of 3292	3080	Setup.exe	99
PID 3080 wrote to memory of 2704	3080	Setup.exe	100
PID 3080 wrote to memory of 2704	3080	Setup.exe	100
PID 3080 wrote to memory of 1392	3080	Setup.exe	101
PID 3080 wrote to memory of 1392	3080	Setup.exe	101
PID 1392 wrote to memory of 1564	1392	Setup.exe	103
PID 1392 wrote to memory of 1564	1392	Setup.exe	103
PID 1392 wrote to memory of 1564	1392	Setup.exe	103
PID 1392 wrote to memory of 4452	1392	Setup.exe	104
PID 1392 wrote to memory of 4452	1392	Setup.exe	104
PID 1392 wrote to memory of 4060	1392	Setup.exe	105
PID 1392 wrote to memory of 4060	1392	Setup.exe	105
PID 4060 wrote to memory of 2840	4060	Setup.exe	109
PID 4060 wrote to memory of 2840	4060	Setup.exe	109
PID 4060 wrote to memory of 2840	4060	Setup.exe	109
PID 4060 wrote to memory of 4004	4060	Setup.exe	110
PID 4060 wrote to memory of 4004	4060	Setup.exe	110
PID 4060 wrote to memory of 4872	4060	Setup.exe	111
PID 4060 wrote to memory of 4872	4060	Setup.exe	111
PID 4872 wrote to memory of 268	4872	Setup.exe	113
PID 4872 wrote to memory of 268	4872	Setup.exe	113
PID 4872 wrote to memory of 268	4872	Setup.exe	113
PID 4872 wrote to memory of 5012	4872	Setup.exe	114
PID 4872 wrote to memory of 5012	4872	Setup.exe	114
PID 4872 wrote to memory of 2356	4872	Setup.exe	115
PID 4872 wrote to memory of 2356	4872	Setup.exe	115
PID 2356 wrote to memory of 5084	2356	Setup.exe	116
PID 2356 wrote to memory of 5084	2356	Setup.exe	116
PID 2356 wrote to memory of 5084	2356	Setup.exe	116
PID 2356 wrote to memory of 4888	2356	Setup.exe	117
PID 2356 wrote to memory of 4888	2356	Setup.exe	117
PID 2356 wrote to memory of 4436	2356	Setup.exe	118
PID 2356 wrote to memory of 4436	2356	Setup.exe	118
PID 4436 wrote to memory of 2696	4436	Setup.exe	121
PID 4436 wrote to memory of 2696	4436	Setup.exe	121
PID 4436 wrote to memory of 2696	4436	Setup.exe	121
PID 4436 wrote to memory of 1640	4436	Setup.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
  "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\injection.exe
  "C:\Users\Admin\AppData\Local\Temp\injection.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
    "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\injection.exe
    "C:\Users\Admin\AppData\Local\Temp\injection.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
      "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\injection.exe
      "C:\Users\Admin\AppData\Local\Temp\injection.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        10⤵
        Checks computer location settings
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        11⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        12⤵
        Checks computer location settings
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        13⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        14⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        15⤵
        Checks computer location settings
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        16⤵
        Checks computer location settings
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        17⤵
        Checks computer location settings
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        18⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        19⤵
        Checks computer location settings
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        20⤵
        Checks computer location settings
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        21⤵
        Checks computer location settings
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        22⤵
        Checks computer location settings
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        23⤵
        Checks computer location settings
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        24⤵
        Checks computer location settings
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        25⤵
        Checks computer location settings
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        26⤵
        Checks computer location settings
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        27⤵
        Checks computer location settings
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        28⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        29⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        30⤵
        Checks computer location settings
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        31⤵
        Checks computer location settings
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        32⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        33⤵
        Checks computer location settings
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        34⤵
        Checks computer location settings
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        35⤵
        Checks computer location settings
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        36⤵
        Checks computer location settings
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        37⤵
        Checks computer location settings
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        38⤵
        Checks computer location settings
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        39⤵
        Checks computer location settings
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        40⤵
        Checks computer location settings
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        41⤵
        Checks computer location settings
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        42⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        43⤵
        Checks computer location settings
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        44⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        45⤵
        Checks computer location settings
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        46⤵
        Checks computer location settings
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        47⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        48⤵
        Checks computer location settings
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        49⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        50⤵
        Checks computer location settings
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        51⤵
        Checks computer location settings
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        52⤵
        Checks computer location settings
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        53⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        54⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        55⤵
        Checks computer location settings
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        56⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        57⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        58⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        58⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        59⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        59⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        60⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        60⤵
        Checks computer location settings
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        61⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        61⤵
        Checks computer location settings
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        62⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        62⤵
        Checks computer location settings
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        63⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        63⤵
        Checks computer location settings
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        64⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        64⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        65⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        65⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        66⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        66⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        66⤵
        
        PID:3504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Roaming\wlanext.exe
C:\Users\Admin\AppData\Roaming\wlanext.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\111111111111111111111111111111111111.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\injection.exe.log

Filesize
1KB

MD5
c952c967a6c1013f7155cc3efed8cd03

SHA1
dc5bbab6c51387ee4d9863415a196e297457d045

SHA256
f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12

SHA512
8126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe

Filesize
209KB

MD5
9258d024ee6fbfe283978e89e25cbc50

SHA1
123f1309dbc98824ec2ebb12f9883a07b873820e

SHA256
392a00e29a7305ead657c6c10d80b446f8b6bfe25a171e63e43439695f40410a

SHA512
993b2a16cfdc8dbd99753349f923a6baf1e801f79d7fb6aa39e15f617b4f798f355a9edddc9e7579ece562e1c254299e974ac46e70efe576a0985554fec15913

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxcxmnuw.34o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\injection.exe

Filesize
399KB

MD5
153deb0e0ffc0b476d5bba8a69778dde

SHA1
4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

SHA256
4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

SHA512
00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

Download Submit
C:\Users\Admin\AppData\Roaming\5AB270F5-F3A9-47D1-97D7-BBD50ACF9955\run.dat

Filesize
8B

MD5
a9046c40f36d45efcdb3332b84d93ff6

SHA1
1c29b082ea06f34546ac1084d1f2a2a0aeda7382

SHA256
5d79908d4ca041ba30eeaadf867ea0e717181b560361499cc7262849a37c3e6b

SHA512
54a6e565b30fa1f9cee5067005225d63d5bb938d1a0adbcf8d2cd3d03c21ae877fde5317577c04e091f14e7eed19bc13fb9e7714ef3a707c80d985969d165db6

Download Submit
memory/1204-27-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/1204-0-0x00007FFAA2AA3000-0x00007FFAA2AA5000-memory.dmp

Filesize
8KB

Download
memory/1204-7-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/1204-1-0x0000000000FC0000-0x0000000001048000-memory.dmp

Filesize
544KB

Download
memory/2912-26-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/3532-32-0x0000011077E50000-0x0000011077E72000-memory.dmp

Filesize
136KB

Download
memory/3808-66-0x0000000002A40000-0x0000000002A7A000-memory.dmp

Filesize
232KB

Download
memory/4740-25-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/4740-23-0x0000000000D20000-0x0000000000D8A000-memory.dmp

Filesize
424KB

Download
memory/4740-65-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download